Hi, logstash newbie in need of advice
I am using logstash to ingest google pub/sub messages, which are single-line json messages, and want to forward them to a syslog server. Ingestion and writting the message to a file works fine.
my output stanza:
syslog {
host => "127.0.0.1"
port => 514
facility => "local0"
severity => "informational"
rfc => "rfc5424"
appname => "stackdriver"
sourcehost => "gcp"
}
but syslog is ignoring facility and severity, and its not passing the message as the syslog msg.
syslog debug shows PRI as 117 (logalert.notice), and the msg field is literally "%{message}"
Debugged syslog message:
FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'gcp', PRI: 117,
syslogtag 'stackdriver', programname: 'stackdriver', APP-NAME: 'stackdriver', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Apr 3 15:53:53', STRUCTURED-DATA: '-',
msg: '%{message}'
escaped msg: '%{message}'
inputname: imudp rawmsg: '<117>1 2018-04-03T15:53:53.456+00:00 gcp stackdriver - - - %{message}'
main concern is passing the JSON message as the syslog msg, PRI is secondary...
Thanks!!
Edit: This is complete config file
input {
google_pubsub {
project_id => "bosh-concourse-2018"
topic => "bosh-concourse-2018"
subscription => "logstash-sub"
json_key_file => "/usr/share/logstash/creds/pubsub.json"
}
}
output {
file {
path => "/var/log/logstash/pubsub-output.log"
flush_interval => 0
}
syslog {
host => "127.0.0.1"
port => 514
facility => "local0"
severity => "informational"
rfc => "rfc5424"
appname => "stackdriver"
sourcehost => "gcp"
}
}