Syslog output plugin and dynamic values

Is there a way to use fields with this plugin in much the same ways as the File or Elasticsearch output plugin?

The following does not work:

		syslog {
			host		=> "10.10.10.1"
			port 		=> 12543
			protocol	=> "tcp"
			facility 	=> "user-level"
			severity 	=> "%{loglevel}"
			appname 	=> "%{zone}-%{container}"
			sourcehost	=> "%{host}"
			procid		=> "%{bundle}"
			msgid		=> "csms"
		}

The result is:

Invalid setting for syslog output plugin:

output {
syslog {
# This setting must be a ["emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"]
# Expected one of ["emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"], got ["%{loglevel}"]
severity => "%{loglevel}"
...
}
} {:level=>:error}

However this does work:

	elasticsearch {
		host => localhost
		index => "logstash-%{type}-%{host}-%{+YYYY.MM.dd}"
		document_id => "%{timestamp}"
	}

The configuration parameters where you can use %{varname} interpolation depends on the particular plugin and parameter and it's unfortunately not documented. When in doubt I read the code to find out. The parameter must be accessed with event.sprintf(@name_of_param) for it to work.

Thanks Magnus.

Magnus, I gave that a try:

			syslog {
				host		=> "10.10.1.1"
				port 		=> 11122
				protocol	=> "tcp"
				facility 	=> "user-level"
				severity 	=> event.sprintf(@loglevel)
				appname 	=> "fuse"
				sourcehost	=> event.sprintf(@host)
				procid		=> event.sprintf(@bundle)
				msgid		=> "csms"
			}

and receive the following:

λ csms
io/console not supported; tty will not be manipulated
Error: Expected one of #, {, } at line 246, column 24 (byte 6541) after output {
if "_grokparsefailure" in [tags] {
if [type] =='karaf' {
if [service] {
file {
path => "C:/Source/github/csms-dev-env/.misc/logs/fuse/%{type}-%{zone}-%{container}-failed-%{+YYYY-MM-dd}.log"
}
} else {
file {
path => "C:/Source/github/csms-dev-env/.misc/logs/fuse/%{type}-%{container}-failed-%{+YYYY-MM-dd}.log"
}
}
} else {
file {
path => "C:/Source/github/csms-dev-env/.misc/logs/%{type}-failed-%{+YYYY-MM-dd}.log"
}
}
}

    stdout {                                                                                                                                       
            codec => rubydebug                                                                                                                     
    }                                                                                                                                              
                                                                                                                                                   
                            syslog {                                                                                                               
                                    host            => "10.10.1.1"                                                                                
                                    port            => 11122                                                                                       
                                    protocol        => "tcp"                                                                                       
                                    facility        => "user-level"                                                                                
                                    severity        => event                                                                                       

You may be interested in the '--configtest' flag which you can
use to validate logstash's configuration before you choose
to restart a running system.

Oh, sorry. That's not what I meant. It's the source code that must contain event.sprintf(). If it doesn't you can't use %{varname} references. I mentioned event.sprintf() because it's basically the only way to figure out whether it's supported for a particular field. You can't use it in configuration files.

Magnus, I've checked the code and event.sprintf() is used on the majority of the fields and I even used the source from https://github.com/logstash-plugins/logstash-output-syslog/pull/4 for complete support and the plugin still does not allow interpolation!!

The code looks right. Are you sure you managed to install and use the patched plugin? You can easily add a logging statement to be 100% sure.