Logstash syslog output message => %{_source}

souf_el_badraoui · April 2, 2019, 3:51pm

Hello,
We are trying to forward windows event log shipped with winlogbeat via logstash output syslog. The problem is that we want to forward all fields (ideally key1=value1 key2=value2...) and not just the message field. We can't construct a new field concatenating all the others because we don't know which field will be available depending on the windows event log. Is it possible to use the _source field like :

Output {
  syslog{
    message => "%{_source}"
  }
}

because this field is exactly what we want to forward via syslog.
Thank you for your help !!

Badger · April 2, 2019, 5:47pm

Actually you can do exactly that using a ruby filter

    ruby {
        init => '@ignore = [ "@metadata", "@version" ]'
        code => '
            s = ""
            event.to_hash.each { |k, v|
                unless @ignore.include?(k)
                    s = s + "#{k}=#{v},"
                end
                event.set("message", s.chomp(","))
            }
        '
    }

system · April 30, 2019, 5:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to send full event to syslog Logstash	4	437	February 21, 2020
Syslog Output only transferring the "message" field Logstash	15	649	March 15, 2024
[Logstash 7.2] Syslog Output message Logstash	2	1015	August 30, 2019
Logstash-output-syslog full json in message? Logstash	11	4383	August 30, 2018
Logstash syslog output: Weird message processing Logstash	3	428	December 12, 2019

Logstash syslog output message => %{_source}

Related topics