Nested fields in syslog output plugin

dsv · March 15, 2021, 1:17pm

Hey guys, i'm not able to send a nested field in the syslog output plugin.
syslog {
host => "1.7.3.9"
rfc => "rfc5424"
codec => cef
{
delimiter => "|"
fields => [
"[destination][ip]",
"message"
]
}
}
Not nested fields like message works good.

I've tried in syslog output fields array:
[destination][ip]
destination.ip
%{destination.ip}
%{[destination.ip]}
%{[destination][ip]}

In the elasticsearch JSON documents the destination.ip field looks like:
"destination": {
"domain": "mysrv.mydomain",
"port": 80,
"ip": "12.1.2.1"
}
Thanks

Regards,
Sergey

Badger · March 15, 2021, 2:59pm

input { generator { count => 1 lines => [ 'foo' ] } }
filter { mutate { add_field => { "[destination][ip]" => "12.1.2.1" } } }
output  { stdout { codec => cef { delimiter => "|" fields => [ "[destination][ip]", "message" ] } } }

results in

 [2021-03-15T10:56:07,552][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
 CEF:0|Elasticsearch|Logstash|1.0|Logstash|Logstash|6|destinationip=12.1.2.1 message=foo|[2021-03-15T10:56:07,718][INFO ][logstash.javapipeline...

I suspect you want delimiter => '\n', rather than delimiter => "|".

dsv · March 15, 2021, 4:54pm

Great thanks!
I really missed my [destination][ip] can be rarely nonzero.
fields => [ "[destination][ip]" ] works!
Delimiter "|" is ok for me.

system · April 12, 2021, 4:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.