Redmine output plugin

tgdesrochers · February 10, 2016, 5:28pm

I am trying to use the redmine output plugin to write tickets to my redmine database. my config works but my question is how to make the description field more robust.

I am trying to use description => "%{message}" so that the entire message gets thrown into the description field. When I do this my descriptions literally "%message". When I use other field names such as note and use description => "%{note}" I get the value of field note in the description.

Here is a sample of my data:

{
              "ts" => 1455124052684,
             "uid" => "ChS7ac4M8vLd4OTau8",
       "id.orig_h" => "x.x.x.x",
       "id.orig_p" => 3098,
       "id.resp_h" => "82.165.177.154",
       "id.resp_p" => 80,
           "proto" => "tcp",
            "note" => "Intel::Notice",
             "msg" => "Intel hit on testmyids.com/ at HTTP::IN_URL",
             "sub" => "testmyids.com/",
             "src" => "x.x.x.x",
             "dst" => "82.165.177.154",
               "p" => 80,
      "peer_descr" => "manager",
         "actions" => [
        [0] "Notice::ACTION_EMAIL",
        [1] "Notice::ACTION_LOG"
    ],
    "suppress_for" => 3600.0,
         "dropped" => false,
        "@version" => "1",
      "@timestamp" => "2016-02-10T17:07:37.849Z",
            "host" => "satcon99",
            "path" => "/nsm/bro/logs/current/notice.log",
            "type" => "alert",
       "@metadata" => {
        "stage" => "redmine_alert"
    }

What can I do to make sure the entire message field gets put in the description of the redmine ticket?

magnusbaeck · February 10, 2016, 7:11pm

Which field? There a msg field but no message.

tgdesrochers · February 10, 2016, 7:19pm

, "dropped"=>false, "@version"=>"1", "@timestamp"=>"2016-02-10T16:44:21.004Z", "host"=>"sensor", "path"=>"/nsm/bro/logs/current/notice.log", "type"=>"alert"}, "type"], "message"=>[{"ts"=>1455122654361, "uid"=>"ClChlgWO27XncB1l2", "id.orig_h"=>"x.x.x.x", "id.orig_p"=>13516, "id.resp_h"=>"82.165.177.154", "id.resp_p"=>80, "proto"=>"tcp", "note"=>"Intel::Notice", "msg"=>"Intel hit on testmyids.com/ at HTTP::IN_URL", "sub"=>"testmyids.com/", "src"=>"x.x.x.x", "dst"=>"82.165.177.154", "p"=>80, "peer_descr"=>"manager", "actions"=>["Notice::ACTION_EMAIL", "Notice::ACTION_LOG"], "suppress_for"=>#, "dropped"=>false, "@version"=>"1", "@timestamp"=>"2016-02-10T16:44:21.004Z", "host"=>"sensor", "path"=>"/nsm/bro/logs/current/notice.log", "type"=>"alert"}, "message"], "note"=>[{"ts"=>1455122654361, "uid"=>"ClChlgWO27XncB1l2", "id.orig_h"=>"x.x.x.x", "id.orig_p"=>13516, "id.resp_h"=>"82.165.177.154", "id.resp_p"=>80, "proto"=>"tcp", "note"=>"Intel::Notice", "msg"=>"Intel hit on testmyids.com/ at HTTP::IN_URL", "sub"=>"testmyids.com/", "src"=>"x.x.x.x", "dst"=>"82.165.177.154", "p"=>80, "peer_descr"=>"manager", "actions"=>["Notice::ACTION_EMAIL", "Notice::ACTION_LOG"], "suppress_for"=>#, "dropped"=>false, "@version"=>"1", "@timestamp"=>"2016-02-10T16:44:21.004Z", "host"=>"sensor", "path"=>"/nsm/bro/logs/current/notice.log", "type"=>"alert"}, "note"]}>>, :level=>:warn}

Sorry for all the data but when I was getting errors (before adding ssl to the config) I saw a field called [message]. This is in the raw data above, but when I do a rubydebug I don't see the the message field in the output.

I have started playing with adding a field using the mutate plugin, but I can't get the data to split onto multiple lines.

filter {
  if [type] == "alert" {
    mutate {
      add_field => {
        "message" => ["Source IP = %{src}","Destination IP = %{dst}","Source Port = %{id.orig_p}","Destination Port = %{id.resp_p}","Connection ID = %{uid}"]
      }
    }
  }
}

I just don't quite understand why I can see the message field in the raw data when an error is thrown but it doesn't get printed when I run stdout with rubdebug.

Second in the conf above, how could I get this to output each to a new line so that in the description field of redmine it will me multiple lines instead of one long string.

Thanks