I have several dockers sending their logs to ELK.
input {
udp {
port => 5000
type => docker
}
}
filter {
if [type] == "docker" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
'}
When I listen the UDP packets sent by the Dockers, I can print out the following :
172.17.0.27 : <30>Dec 3 15:32:29 dev-WP_Docker-AT-node_1[991]: 172.22.11.1 - - [03/Dec/2018:15:32:29 +0000] "GET / HTTP/1.0" 200 27334 "-" "Wget/1.19.4 (linux-gnu)"
I would assume <30> is in fact the ASCII character-30... but I cannot remove it and therefore the message is not correctly parsed (it is not parsed at all).
Any hint appreciated.
\T,