Logstash Syslog output plugin streaming adds additional headers

Hi
We are using Logstash syslog output plugin v3.0.5 to stream audit log to a external SIEM server using TCP with SSL. It is observed that there are additional headers automatically appended by the plugin to the original log and this causes parsing issues in the external server.Is this the expected behavior or is there a config to remove this header. An example,

**<141>Aug  4 11:08:35 XXX-XXX-XXX-XX.XXX.XX.XX LOGSTASH[fwd-external]**`: 2022-08-04T15:08:35.663370+04:00 XXX-XXX-01 audispd: node=XXX-XXX-01.XXX.corp.ae type=USER_AUTH msg=audit(1659611315.661:190341): pid=24897 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:authentication grantors=pam_rootok acct=karaf" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'"`

In this example , "<141>Aug 4 11:08:35 XXX-XXX-XXX-XX.XXX.XX.XX LOGSTASH[fwd-external]" seems to be the header added by Logstash which seem to be (timestamp,logstash hostname, application name,procid) .
Is it possible to remove this header?

Following is the /etc/logstash/conf.d/auditlogs-syslog.conf

output {
  if [logplane] == "auditlogs" {
    syslog {
        facility => "local3"
        host => "localhost"
        port => 514
        sourcehost => "<HOSTNAME>"
        procid => "fwd-external"
    }
  }
}

Thanks
Anandh

No. syslog requires this header. See here for the code that adds it.

If you don't want syslog format data then don't use a syslog output.Try tcp instead.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.