Remove header information added by logstash

Elastic Stack Logstash
1

Hello experts,

We are using logstash as syslog event receiver and forwarder using UDP & TCP and it is doing as expected but on forwarding syslog events to output, logstash is adding its own header, we want to remove this header from syslog. Please find below expected syslog and the syslog received from logstash

Expected syslog

Nov 23 10:11:39 127.0.0.1 token1: expired, successful,Info,0000,00002,Linux,Test

Syslog received from logstash

Nov 23 10:01:40 10.140.190.105 LOGSTASH[-]: <13>Nov 23 10:01:40 127.0.0.11 token1: expired, successful,Info,0000,00002,Linux,Test

As you can see extra logstash header info is getting appended in the syslog. Kindly suggest how to remove this header.
I have seen other threads with similar problems as well but it didnt solve the purpose.

2

Please post your config here using triple backticks ``` above and below the config text.

3

Please find below the config I am using

input {

  syslog {
    port => 1468
  }
  udp {
    port => 514
    type => syslog
  }
}

output {
  syslog{
   host => "10.140.190.105"
   port => 1468
   protocol => tcp
  }
}
4

Solved

I got the solution to the above problem

Used TCP output plugin & changed config file

Please find the below config file

input {

  syslog {
    port => 1468
  }
  udp {
    port => 514
    type => syslog
  }

}

output {

  tcp{
   host => "10.140.190.105"
   port => 1468

   codec => line {
   format => "%{message}"
   }

 }

}

But now facing a new issue i.e. while sending syslog event output some times TCP hangs and then outputs the syslog event. The major problem here is that if any event comes in between for output, because TCP output is hanged, the event drop or not sent.

Please find below log of TCP while it hangs

[2017-11-24T08:10:34,608][WARN ][logstash.outputs.tcp     ] tcp output exception {:host=>"10.140.190.105", :port=>1468, :exception=>#<EOFError: End of file reached>, :backtrace=>["org/jruby/RubyIO.java:3030:in `sysread'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-tcp-4.0.2/lib/logstash/outputs/tcp.rb:162:in `register'", "org/jruby/RubyProc.java:281:in `call'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-line-3.0.4/lib/logstash/codecs/line.rb:54:in `encode'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-tcp-4.0.2/lib/logstash/outputs/tcp.rb:207:in `receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:92:in `multi_receive'", "org/jruby/RubyArray.java:1613:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:92:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator_strategies/single.rb:15:in `multi_receive'", "org/jruby/ext/thread/Mutex.java:149:in `synchronize'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator_strategies/single.rb:14:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator.rb:49:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:434:in `output_batch'", "org/jruby/RubyHash.java:1342:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:433:in `output_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:381:in `worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:342:in `start_workers'"]}

Please suggest the solution for this problem

5

Here is the ruby code that that warning log message is coming from:

        begin
          client_socket = connect unless client_socket
          r,w,e = IO.select([client_socket], [client_socket], [client_socket], nil)
          # don't expect any reads, but a readable socket might
          # mean the remote end closed, so read it and throw it away.
          # we'll get an EOFError if it happens.
          client_socket.sysread(16384) if r.any?

          # Now send the payload
          client_socket.syswrite(payload) if w.any?
        rescue => e
          @logger.warn("tcp output exception", :host => @host, :port => @port,
                       :exception => e, :backtrace => e.backtrace)
          client_socket.close rescue nil
          client_socket = nil
          sleep @reconnect_interval
          retry
        end

This seems to mean that the remote end closed early and we sleep and retry at the default reconnect_interval of 10 seconds.
I suggest that you investigate the network activity, correct the problem and reduce the reconnect_interval to 1 second.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.