Remove header information added by logstash

vishal0708gautam · November 23, 2017, 1:13pm

Hello experts,

We are using logstash as syslog event receiver and forwarder using UDP & TCP and it is doing as expected but on forwarding syslog events to output, logstash is adding its own header, we want to remove this header from syslog. Please find below expected syslog and the syslog received from logstash

Expected syslog

Nov 23 10:11:39 127.0.0.1 token1: expired, successful,Info,0000,00002,Linux,Test

Syslog received from logstash

Nov 23 10:01:40 10.140.190.105 LOGSTASH[-]: <13>Nov 23 10:01:40 127.0.0.11 token1: expired, successful,Info,0000,00002,Linux,Test

As you can see extra logstash header info is getting appended in the syslog. Kindly suggest how to remove this header.
I have seen other threads with similar problems as well but it didnt solve the purpose.

guyboertje · November 23, 2017, 2:56pm

Please post your config here using triple backticks ``` above and below the config text.

vishal0708gautam · November 24, 2017, 4:54am

Please find below the config I am using

input {

  syslog {
    port => 1468
  }
  udp {
    port => 514
    type => syslog
  }
}

output {
  syslog{
   host => "10.140.190.105"
   port => 1468
   protocol => tcp
  }
}

vishal0708gautam · November 24, 2017, 11:42am

Solved

I got the solution to the above problem

Used TCP output plugin & changed config file

Please find the below config file

input {

  syslog {
    port => 1468
  }
  udp {
    port => 514
    type => syslog
  }

}

output {

  tcp{
   host => "10.140.190.105"
   port => 1468

   codec => line {
   format => "%{message}"
   }

 }

}

But now facing a new issue i.e. while sending syslog event output some times TCP hangs and then outputs the syslog event. The major problem here is that if any event comes in between for output, because TCP output is hanged, the event drop or not sent.

Please find below log of TCP while it hangs

[2017-11-24T08:10:34,608][WARN ][logstash.outputs.tcp     ] tcp output exception {:host=>"10.140.190.105", :port=>1468, :exception=>#<EOFError: End of file reached>, :backtrace=>["org/jruby/RubyIO.java:3030:in `sysread'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-tcp-4.0.2/lib/logstash/outputs/tcp.rb:162:in `register'", "org/jruby/RubyProc.java:281:in `call'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-line-3.0.4/lib/logstash/codecs/line.rb:54:in `encode'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-tcp-4.0.2/lib/logstash/outputs/tcp.rb:207:in `receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:92:in `multi_receive'", "org/jruby/RubyArray.java:1613:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:92:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator_strategies/single.rb:15:in `multi_receive'", "org/jruby/ext/thread/Mutex.java:149:in `synchronize'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator_strategies/single.rb:14:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator.rb:49:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:434:in `output_batch'", "org/jruby/RubyHash.java:1342:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:433:in `output_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:381:in `worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:342:in `start_workers'"]}

Please suggest the solution for this problem

guyboertje · November 24, 2017, 12:08pm

Here is the ruby code that that warning log message is coming from:

        begin
          client_socket = connect unless client_socket
          r,w,e = IO.select([client_socket], [client_socket], [client_socket], nil)
          # don't expect any reads, but a readable socket might
          # mean the remote end closed, so read it and throw it away.
          # we'll get an EOFError if it happens.
          client_socket.sysread(16384) if r.any?

          # Now send the payload
          client_socket.syswrite(payload) if w.any?
        rescue => e
          @logger.warn("tcp output exception", :host => @host, :port => @port,
                       :exception => e, :backtrace => e.backtrace)
          client_socket.close rescue nil
          client_socket = nil
          sleep @reconnect_interval
          retry
        end

This seems to mean that the remote end closed early and we sleep and retry at the default reconnect_interval of 10 seconds.
I suggest that you investigate the network activity, correct the problem and reduce the reconnect_interval to 1 second.

system · December 22, 2017, 12:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash syslog output - remove headers Logstash	2	1408	July 6, 2017
Mantain source IP TCP Output Logstash	7	1452	May 15, 2022
Logstash Syslog output plugin streaming adds additional headers Logstash	2	340	December 9, 2022
TCP syslog output not working properly in logstash Logstash	1	1491	December 21, 2017
Removing fields from logstash output Logstash	4	1218	November 17, 2017

Remove header information added by logstash

Expected syslog

Syslog received from logstash

Please find the below config file

Please find below log of TCP while it hangs

Related topics