Remove logstash automatic fields

Giulio · April 11, 2016, 3:29pm

Hi

My log are alredy formatted so I need only to rename the field.
But logstash add by itself at the begin of the message some elements (that I totally don't need)

...
"vhost" => "<133>Apr 11 17:16:54 centos7test2 apache-access 192.168.122.226", (I need only the IP)
...

For now I have solved this problem using a grok filter that divide the field in single element and the deleting what I don't need... But this is really stupid...It's only a waste of CPU for nothing, as I said my file are alredy formatted, why I should add some fields and then remove them!

grok {
    match => [ "vhost", "<%{NUMBER:messType}>\s*%{MONTH:month}\s*%{MONTHDAY:day}\s*%{TIME:time}\s*%{PROG:sender}\s*%{PROG:logType}\s*%{IPORHOST:vHost}" ]
}

I'm almost sure that exist a command to force logstash to not add nothing to the incoming message but for now I don't find anything... So at the end, is this possible?

As always, many thanks for your help!

Alex_6 · April 11, 2016, 3:46pm

Where does the vhost field come from in the first place?

And if you don't name the fields in your Grok pattern then they won't be stored.

grok {
    match => [ "vhost", "<%{NUMBER}>\s*%{MONTH}\s*%{MONTHDAY}\s*%{TIME}\s*%{PROG}\s*%{PROG}\s*%{IPORHOST:vHost}" ]
}

Or you could just shorten it right down:

grok {
    match => [ "vhost", "%{GREEDYDATA}\s%{IPORHOST:vHost}" ]
}

Giulio · April 12, 2016, 8:05am

The virtual host is the first element of my apache custom log and are shipped using rsyslog

LogFormat "%V\t%h\t%{SSL_PROTOCOL}x\t%{SSL_CIPHER}x\t%{SSL_CLIENT_S_DN_CN}x\t%u\t%{%d/%m/%Y %T %Z}t\t%{UNIQUE_ID}e\t%{JSESSIONID}C\t%H\t%m\t%k\t%U\t"%q"\t%>s\t%b\t"%{Referer}i"\t"%{User-Agent}i"\t%D\t%X\t%I\t%O"

192.168.122.226 192.168.122.1 - - - - 12/04/2016 09:18:15 +0200 VwyhN2i20z41PqBf1-Wa7wAAAAE - HTTP/1.1 GET 6 /noindex/css/fonts/Bold/OpenSans-Bold.ttf "" 404 238 "http://192.168.122.226/noindex/css/open-sans.css" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" 455 + 421 473

I use a pre-tabbed log so I need only to apply the columns name and the the conversion.

Many thanks for your advice, if is not possible remove that field from the begin this should be the best way to proceed.