Hello,
I'm trying to setup a logstash configuration. I want to forward the event.original field only on the udp output.
I have a filebeat input, and elasticsearch/udp output. I tried the "codec line" option with "format" but it does not consider the payload %{event.original} as a variable. Here is the configuration sample :
input {
beats {
port => 5044
tags => ["serv1"]
}
output {
if "serv1" in [tags] {
elasticsearch {
hosts => ["localhost:9200"]
index => "serv1"
}
udp {
host => ["192.168.1.1"]
port => 514
codec => line {
format => "%{event.original}"
}
}
}
}
NB : line codec is and format option is working with a syslog input.
Do you have any recommandations ?