Logstash syslog output message => %{_source}

souf_el_badraoui · April 2, 2019, 3:51pm

Hello,
We are trying to forward windows event log shipped with winlogbeat via logstash output syslog. The problem is that we want to forward all fields (ideally key1=value1 key2=value2...) and not just the message field. We can't construct a new field concatenating all the others because we don't know which field will be available depending on the windows event log. Is it possible to use the _source field like :

Output {
  syslog{
    message => "%{_source}"
  }
}

because this field is exactly what we want to forward via syslog.
Thank you for your help !!

Badger · April 2, 2019, 5:47pm

Actually you can do exactly that using a ruby filter

    ruby {
        init => '@ignore = [ "@metadata", "@version" ]'
        code => '
            s = ""
            event.to_hash.each { |k, v|
                unless @ignore.include?(k)
                    s = s + "#{k}=#{v},"
                end
                event.set("message", s.chomp(","))
            }
        '
    }

system · April 30, 2019, 5:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.