incogniro
(Wayne Hunter)
July 1, 2015, 2:35pm
1
Is there a way to use fields with this plugin in much the same ways as the File or Elasticsearch output plugin?
The following does not work:
syslog {
host => "10.10.10.1"
port => 12543
protocol => "tcp"
facility => "user-level"
severity => "%{loglevel}"
appname => "%{zone}-%{container}"
sourcehost => "%{host}"
procid => "%{bundle}"
msgid => "csms"
}
The result is:
Invalid setting for syslog output plugin:
output {
syslog {
# This setting must be a ["emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"]
# Expected one of ["emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"], got ["%{loglevel}"]
severity => "%{loglevel}"
...
}
} {:level=>:error}
However this does work:
elasticsearch {
host => localhost
index => "logstash-%{type}-%{host}-%{+YYYY.MM.dd}"
document_id => "%{timestamp}"
}
The configuration parameters where you can use %{varname}
interpolation depends on the particular plugin and parameter and it's unfortunately not documented. When in doubt I read the code to find out. The parameter must be accessed with event.sprintf(@name_of_param)
for it to work.
incogniro
(Wayne Hunter)
July 2, 2015, 10:34am
4
Magnus, I gave that a try:
syslog {
host => "10.10.1.1"
port => 11122
protocol => "tcp"
facility => "user-level"
severity => event.sprintf(@loglevel)
appname => "fuse"
sourcehost => event.sprintf(@host)
procid => event.sprintf(@bundle)
msgid => "csms"
}
and receive the following:
λ csms
io/console not supported; tty will not be manipulated
Error: Expected one of #, {, } at line 246, column 24 (byte 6541) after output {
if "_grokparsefailure" in [tags] {
if [type] =='karaf' {
if [service] {
file {
path => "C:/Source/github/csms-dev-env/.misc/logs/fuse/%{type}-%{zone}-%{container}-failed-%{+YYYY-MM-dd}.log"
}
} else {
file {
path => "C:/Source/github/csms-dev-env/.misc/logs/fuse/%{type}-%{container}-failed-%{+YYYY-MM-dd}.log"
}
}
} else {
file {
path => "C:/Source/github/csms-dev-env/.misc/logs/%{type}-failed-%{+YYYY-MM-dd}.log"
}
}
}
stdout {
codec => rubydebug
}
syslog {
host => "10.10.1.1"
port => 11122
protocol => "tcp"
facility => "user-level"
severity => event
You may be interested in the '--configtest' flag which you can
use to validate logstash's configuration before you choose
to restart a running system.
Oh, sorry. That's not what I meant. It's the source code that must contain event.sprintf()
. If it doesn't you can't use %{varname}
references. I mentioned event.sprintf()
because it's basically the only way to figure out whether it's supported for a particular field. You can't use it in configuration files.
incogniro
(Wayne Hunter)
July 2, 2015, 3:29pm
6
Magnus, I've checked the code and event.sprintf() is used on the majority of the fields and I even used the source from https://github.com/logstash-plugins/logstash-output-syslog/pull/4 for complete support and the plugin still does not allow interpolation!!
The code looks right. Are you sure you managed to install and use the patched plugin? You can easily add a logging statement to be 100% sure.