[Solved] How to get raw log in logstash

tatdat · June 5, 2017, 3:34am

Hi, i have this case.

I send log from filebeat -> logstash. (5.4). Now i need to get raw log in field "message" only

{
  "_index": "fb-test-2017.20",
  "_type": "ssh",
  "_id": "AVwPYDgrVEOhQqT8cqhk",
  "_version": 1,
  "_score": null,
  "_source": {
    "geoip": {},
    "offset": 9164,
    "beatname": "fb-test",
    "input_type": "log",
    "source": "/var/log/secure",
    "message": "May 16 10:49:44 Nginx-LB-Inside-02 sudo: pam_unix(sudo-i:auth): authentication failure; logname=admin uid=1002 euid=0 tty=/dev/pts/0 ruser=admin rhost=  user=admin",
    "type": "ssh",
    "tags": [],
    "@timestamp": "2017-05-16T03:49:46.320Z",
    "beattype": "ssh",
    "@version": "1",
    "beat": {
      "hostname": "Nginx-LB-Inside-02",
      "name": "Nginx-LB-Inside-02",
      "version": "5.4.0"
    }
  }
}

I want get data in "message" field and write it to file in OUTPUT.

May 16 10:49:44 Nginx-LB-Inside-02 sudo: pam_unix(sudo-i:auth): authentication failure; logname=admin uid=1002 euid=0 tty=/dev/pts/0 ruser=admin rhost= user=admin

Anyone have suggestion for me ?

Thanks so much.

magnusbaeck · June 5, 2017, 4:00am

You have a file output and you want it to contain the current contents of the message field and nothing else? See the example in the file output documentation:

output {
 file {
   path => ...
   codec => line { format => "custom format: %{message}"}
 }
}

tatdat · June 5, 2017, 7:51am

Thanks for quick reply,
That all i need. My problem is solved

system · July 3, 2017, 7:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.