Syslog output actually displaying "%{message}" instead of the message from metricbeat


#1

I have a need to grab metricbeat output from my logstash nodes and forward it directly to a syslog server (I'll spare you the details). The problem is, the data received looks like this:

Nov 13 06:39:12 MONITOREDSERVER1 LOGSTASH[-]: %{message}
Nov 13 06:39:11 MONITOREDSERVER1 LOGSTASH[-]: The Jenkins agent (jenkinsslave-d__temp) service terminated unexpectedly.  

The first line is from metricbeat running on a windows host (I only have windows hosts), the second is from Winlogbeat on the same host.

This appears to be an issue with the syslog output specifically as output to elasticsearch works just fine and I'm able to see the metricbeat data in Kibana. I've tried this with Logstash 6.2.3 and 6.4.2. The config I'd like to use:

input {
  beats {
	port => 5044
	ssl => true
	ssl_certificate => "d:\logstash\config\ELK.crt"
	ssl_key => "d:\logstash\config\ELK.pk8"
  }
}
output {
  elasticsearch {
	hosts => "ELASTICHOST:9200"
	manage_template => false
	index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" 
	document_type => "%{[@metadata][type]}" 
  }
  syslog {
	appname => "LOGSTASH"
	host => "localhost"
	port => 1468
	protocol => "tcp"
	#message => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd} %{message}"
  }
}

I've been experimenting with the message option for the syslog output to try and get something reasonable. The commented out line will produce something like:
Nov 13 06:39:12 MONITOREDSERVER1 LOGSTASH[-]: metricbeat-6.2.3-2018-11-21 %{message}
For metricbeat and the winlogbeats (or filebeats) records will have the actual message.

Maybe metricbeat doesn't have a %{message} field?