Hello everyone!
I have a log from syslog which logstash should parse:
Source:
Jan 3 10:14:40 123.123.123.123 {"zone_src":"SRC","zone_dst":"DST","reason":"rule","rule_id":12345,"rule_description":"Rule Description","action":"ACCEPT","@timestamp":"2023-01-03T10:14:39.151179+0100","timestamp":1672737279,"timestamp_usec":151179,"iface_in":"123456","iface_out":"asdf1.123","ip_src":"100.100.100.100","ip_dst":"200.200.200.200","protocol":6,"port_src":12345,"port_dst":1234,"mark":352321536,"tos":0,"host_id":123456,"host_name":"hostname123,"logtype":"forward"}
Now I want kv to split the keys and values within the curly brackets and exclude the date and IP Address before the curly brackets.
I tried it with the following config but it won't work:
input {
file {
path => ["/var/log/syslog-test4"]
sincedb_path => "/dev/null"
start_position => "beginning"
}
}
filter {
dissect {
mapping => {
"message" => "\"%{month1} %{day2} %{time3} %{host4} {\"zone_src\":\"%{zone_src}\",\"zone_dst\":\"%{zone_dst}\",\"reason\":\"%{reason}\",\"rule_id\":%{rule_id},\"rule_description\":\"%{rule_description}\",\"action\":\"%{action}\",\"@timestamp\":\"%{@timestamp}\",\"timestamp\":%{timestamp},\"timestamp_usec\":%{timestamp_usec},\"iface_in\":\"%{iface_in}\",\"iface_out\":\"%{iface_out}\",\"ip_src\":\"%{ip_src}\",\"ip_dst\":\"%{ip_dst}\",\"protocol\":%{protocol},\"port_src\":%{port_src},\"port_dst\":%{port_dst},\"mark\":%{mark},\"tos\":%{tos},\"host_id\":%{host_id},\"host_name\":\"%{host_name}\",\"logtype\":\"%{logtype}\"}\""
}
remove_field => ["month1" , "day2" , "time3" , "host4"]
}
kv {
source => "message"
field_split => ","
value_split => ":"
trim_key => "{\\\""
trim_value => "\\\"}"
#target_field => "details"
include_brackets => false
}
}
Can anyone of you assist on how I could achieve this?
Thank you,
Max