Hello everyone, I'm new to LogStash and so I'm running into complications. I'm trying to use logstash to forward logs but the logs that are sent are completely different from the logs I expect.
When I use the syslog output plugin, I get something almost indecipherable (it has 3 or 4 timestamps?)
When I use the UDP output plugin I get something more... edible.
Here is an example:
Here's what I'm receiving:
MM DD YYYY HH:mm:ss ELK IP <USER:NOTE> {"@timestamp":"YYYY-MM-DDTHH:mm:ss.000Z","syslog_hostname":"SourceIP","syslog_timestamp":"MMM DD HH:mm:ss","@version":"1","host":"LogGenHostIP","syslog_program":"EVID:0000 Server3","message":"Message","type":"syslog","syslog_message":"SyslogMessage"}
Please note that the timestamp "@timestamp" is reporting a time that is exactly 4 hours ahead of the first timestamp... I have no idea why.
So what I'd like to do is strip everything before "syslog_hostname" but somehow anything I've tried isn't working.
Note that I'm using a log generator for the sample logs, which is why there is "host" pointing at the computer where the logs are being generated.
Any ideas are very much appreciated, about the timestamp or the field removal.