Logstash syslog output format

Hello guys!
I have question about syslog output plugin.

Configuration:

output {                             
  if "mail" in [tags] {
     	syslog {
              facility => "local0"
              host => "192.168.0.3"
              port => "514"
              severity => "informational"
              protocol => "udp"
                      }

Output result:
Jun 14 10:23:07 ls09 %{host} LOGSTASH[ ]: *mail log*

How can i delete "Jun 14 10:23:07 ls09 %{host} LOGSTASH[ ]: " part of syslog output? And just send by syslog *mail log* messages?

Why are you using syslog output if you don't want syslog format?
You can just use udp output instead.

If you want to insist on using syslog output for some reason, I guess you can define the codec as line and change the formatting.

Just because *mail log* is that "Jun 14 14:27:42 mail46 postfix/smtpd[43252]: disconnect from pc1[192.168.0.7]"

And I want to send just only *mail log* like syslog message without Jun 14 10:23:07 ls09 %{host} LOGSTASH[ ]:

Now i have follow Jun 14 10:23:07 ls09 %{host} LOGSTASH[ ]: Jun 14 14:27:42 mail46 postfix/smtpd[43252]: disconnect from pc1[192.168.0.7]

That didn't answer the question.

If you don't want syslog headers but only the message part, you are better off using either udp or tcp output plugin.

EDIT: Maybe I misunderstood. So you are saying you get double headers?

If you don't want syslog headers but only the message part, you are better off using either udp or tcp output plugin.

Yes, I catch your thought.

So you are saying you get double headers?

Yes. If I use syslog I have double headers one of LS other of my mail log... Can I use only mail log headers in my syslog message?

If you want to preserve original headers, ditch the syslog output and use udp or tcp output as I said.

If you want to get rid of original header and generate new one, you have to parse the old header away - for example with grok - and use syslog output.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.