Logstash - syslog output

humartinez · May 20, 2022, 11:54am

Hi,
Im with some issues configuring the output to syslog. It may be some syntax that Im unaware of, but I can't use my document field values to map some of the plugin output fields.

Im trying to use one of my records fields in order to use with the syslog output plugin (according to the documentation of the plugin) and logstash is unable to write the value of the field instead it s writes the name of the field as literal.

Here is my config and output that the syslog is getting

    # all input will come from filebeat, no local logs
    input {
      beats {
        port => 5074
      }
    }

    filter {
      json {
        source => "message"
      }
      if [audit_log] and [audit_log][0] {
         split {
           field => "audit_log"
         }
         mutate {
           remove_field => ["message"]
        }
       } else {
           drop { }
       }

    }

    output {
      syslog {
        host => "my_syslog_host"
        port => 514
        protocol => "udp"
        appname => "%{log_type}"
        message => "%{audit_log}"
      }
    }

May 20 10:16:39 10-213-123-179 {"name":"filebeat-audit-mongodb-547c49bf4d-zpmfd"} %{[log_type]}[-]: 2022-05-20T10:16:39.594Z {name=filebeat-audit-mongodb-547c49bf4d-zpmfd} %{message}
May 20 10:16:39 10-213-123-179 {"name":"filebeat-audit-mongodb-547c49bf4d-zpmfd"} %{[log_type]}[-]: 2022-05-20T10:16:39.594Z {name=filebeat-audit-mongodb-547c49bf4d-zpmfd} %{message}
May 20 10:31:43 10-213-123-179 {"name":"filebeat-audit-mongodb-547c49bf4d-zpmfd"} %{[log_type]}[-]: 2022-05-20T10:31:43.545Z {name=filebeat-audit-mongodb-547c49bf4d-zpmfd} %{message}
May 20 10:31:43 10-213-123-179 {"name":"filebeat-audit-mongodb-547c49bf4d-zpmfd"} %{[log_type]}[-]: 2022-05-20T10:31:43.545Z {name=filebeat-audit-mongodb-547c49bf4d-zpmfd} %{message}

As a workarround I renamed the field audit_log to message, but If I want to change the value of the appname , severity or whatever, the notation "%{foo}" do not work.

leandrojmp · May 20, 2022, 12:37pm

When you have the literal value of the field like %{field_name} this normally indicates that the field does not exist in the document.

I do not see anything wrong in the output configuration.

Can you add a stdout output and share the document that is being created in the output block?

Badger · May 20, 2022, 5:23pm

You are only splitting this field if it is already an array. Is that really what you want?

As Leandro says, the appearance of %{[log_type]} in the output means that field does not exist, since the code does sprintf the option.

humartinez · May 23, 2022, 6:23am

Guys,
The field exist, here is a sample of my doc

Also @Badger the conditional is to drop events in which the array audit_log is empty

humartinez · May 23, 2022, 12:20pm

@leandrojmp the most anoying is appname, and the field that I need to put ther is log_type, the message string I work arround it by renaming the field audit_log to message.

I changed my config to

    output {
      syslog {
        host => "rsyslog.monitoring.svc.cluster.local"
        port => 5514
        protocol => "udp"
        appname => "logstash.%{log_type}"
      }
    }

rsyslog output

May 23 12:40:37 10-213-162-57 {"name":"filebeat-audit-mongodb-547c49bf4d-gh52h"} logstash.%{log_type}[-]: 2022-05-23T12:40:37.640Z .....

And I still can't read the field log_type

humartinez · May 24, 2022, 7:05am

Could someone give me another clue about this issue?

humartinez · May 25, 2022, 2:14pm

If someone is so kind to help me it would be appreciated

humartinez · May 31, 2022, 10:57am

any clue?

leandrojmp · May 31, 2022, 12:33pm

Can you provide this in plain text?

As already said before, the existence of %{log_type} indicates that the field does not exist.

Try to set a file output to test what is passing through logstash, and also set the stdout output.

For example:

output {
    file {
        path => "/tmp/test-output.log"
        codec => line { format => "%{log_type} - %{audit_log} - %{message}" }
    }
    syslog { your syslog output }
   stdout {}
}

This part of the code in the syslog output is pretty simple, if the field exists, it will sprintf to get the value.

Does this happens for every message or just some?

Can you track the same message and share how it appears in the source file before being read by filebeat, and in the logstash outputs of syslog, file and stdout? Also, do not remove the message field until you figure out what is the issue, being able to see the original message field can help in the troubleshooting process.

If the field really exists, but the syslog output is not making a sprintf to get its value, then it could be a bug and you will need to open an issue in the repository.

system · June 28, 2022, 12:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.