Logstash syslog output: Weird message processing

froto · November 14, 2019, 8:51am

Hey there!

I've been trying to send a part of my events to another syslog receiver for further processing.

I use the logstash-output-syslog plugin for this purpose.

This is my configuration:

> output {
> if "flow" in [tags] {
>   syslog {
>   host => ["127.0.0.1"]
>   port => 515
>   message => "from:%{[flow][src_addr]} to %{[flow][dst_addr]} src_addr_locality=%{[flow][src_addr_locality]} dst_addr_locality=%{[flow][dst_addr_locality]} dst_port=%{[flow][dst_port]}"
>           }
>     }
> }

All these fields definitely exist!

If I filter the logstash output via tcpdump I only get the following message:

<13>Nov 14 08:39:46 %{host} LOGSTASH[-]: 2019-11-14T08:39:46.976Z %{host} %{message}

Does anyone have a idea why the event contains the value "%{message}" and not the configured string ?

(I am using Logstash-OSS 7.3.1 and the latest syslog output plugin)

iridescent233 · November 14, 2019, 9:17am

Change the part of message => "" to
codec => plain {
format => "from:%{[flow][src_addr]} to %{[flow][dst_addr]} src_addr_locality=%{[flow][src_addr_locality]} dst_addr_locality=%{[flow][dst_addr_locality]} dst_port=%{[flow][dst_port]}"
}

iridescent233 · November 14, 2019, 9:29am

You can also modify the source code of the logstash-output-syslog plugin to define it in whatever format you want.it‘s so easy.

system · December 12, 2019, 9:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Logstash 7.2] Syslog Output message Logstash	2	1015	August 30, 2019
Mantain source IP TCP Output Logstash	7	1451	May 15, 2022
Parsing Syslog to Logstash Logstash	6	489	March 10, 2020
Logstash syslog output ignores message Logstash	1	635	March 20, 2020
How to separate arriving syslog messages Logstash	1	398	December 2, 2019

Logstash syslog output: Weird message processing

Related topics