Logstash syslog output ignores message

Hi, logstash syslog output is ignoring the message y configure and adds something "%{host}" in the message, dont know what may be wrong.

I have 2 servers, one with filebeat 1.3.1 reading apache logs and shipping them to another server with logstash 7.5 that receives them, parse them and send them to local filesystem and to remote syslog.

With the following configuration in logtash (this is partial configuration):

input { pipeline { address => "to_syslog" } }
output {
  if [filename] != "ssl_request_log" {
  if [type] == "apache" and [exclude_host] == "false" and !([event_type] =~ "modsecurity" and [message] =~ "PCRE") and [exclude_vhost] != "exclude" and [exclude_request] == "false" {
            syslog {
                    host => "n.n.n.n"
                    port => 514
                    protocol => "tcp"
                    rfc => rfc5424
                    sourcehost => "XX_host_XX"
                    appname => "XX_event_type_XX"
                    message => "XX_message_XX"
                   }
     }
  }
}

In syslog i get:

Feb 21 15:44:39 XX_host_XX XX_event_type_XX 2020-02-21T15:44:39.278Z %{host} <<<obfuscated_1>>>

As you can see, theres a %{host} in the syslog message and not the original message.

The original message coming from filebeat is <<<obfuscated_1>>>

If before the output I add a filter and add the field host, then in the syslog instead of %{host} i get the value of host.

Can anyone tell me why the syslog output adds the %{host} to the message (that i have not even mentioned in the output) and sends the original message even when i configured the message parameter in the syslog output to a fixed string?

thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.