Syslog output plugin and dynamic values

incogniro · July 1, 2015, 2:35pm

Is there a way to use fields with this plugin in much the same ways as the File or Elasticsearch output plugin?

The following does not work:

		syslog {
			host		=> "10.10.10.1"
			port 		=> 12543
			protocol	=> "tcp"
			facility 	=> "user-level"
			severity 	=> "%{loglevel}"
			appname 	=> "%{zone}-%{container}"
			sourcehost	=> "%{host}"
			procid		=> "%{bundle}"
			msgid		=> "csms"
		}

The result is:

Invalid setting for syslog output plugin:

output {
syslog {
# This setting must be a ["emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"]
# Expected one of ["emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"], got ["%{loglevel}"]
severity => "%{loglevel}"
...
}
} {:level=>:error}

However this does work:

	elasticsearch {
		host => localhost
		index => "logstash-%{type}-%{host}-%{+YYYY.MM.dd}"
		document_id => "%{timestamp}"
	}

magnusbaeck · July 1, 2015, 10:10pm

The configuration parameters where you can use %{varname} interpolation depends on the particular plugin and parameter and it's unfortunately not documented. When in doubt I read the code to find out. The parameter must be accessed with event.sprintf(@name_of_param) for it to work.

incogniro · July 2, 2015, 7:35am

Thanks Magnus.

incogniro · July 2, 2015, 10:34am

Magnus, I gave that a try:

			syslog {
				host		=> "10.10.1.1"
				port 		=> 11122
				protocol	=> "tcp"
				facility 	=> "user-level"
				severity 	=> event.sprintf(@loglevel)
				appname 	=> "fuse"
				sourcehost	=> event.sprintf(@host)
				procid		=> event.sprintf(@bundle)
				msgid		=> "csms"
			}

and receive the following:

λ csms
io/console not supported; tty will not be manipulated
Error: Expected one of #, {, } at line 246, column 24 (byte 6541) after output {
if "_grokparsefailure" in [tags] {
if [type] =='karaf' {
if [service] {
file {
path => "C:/Source/github/csms-dev-env/.misc/logs/fuse/%{type}-%{zone}-%{container}-failed-%{+YYYY-MM-dd}.log"
}
} else {
file {
path => "C:/Source/github/csms-dev-env/.misc/logs/fuse/%{type}-%{container}-failed-%{+YYYY-MM-dd}.log"
}
}
} else {
file {
path => "C:/Source/github/csms-dev-env/.misc/logs/%{type}-failed-%{+YYYY-MM-dd}.log"
}
}
}

    stdout {                                                                                                                                       
            codec => rubydebug                                                                                                                     
    }                                                                                                                                              
                                                                                                                                                   
                            syslog {                                                                                                               
                                    host            => "10.10.1.1"                                                                                
                                    port            => 11122                                                                                       
                                    protocol        => "tcp"                                                                                       
                                    facility        => "user-level"                                                                                
                                    severity        => event

You may be interested in the '--configtest' flag which you can
use to validate logstash's configuration before you choose
to restart a running system.

magnusbaeck · July 2, 2015, 1:55pm

Oh, sorry. That's not what I meant. It's the source code that must contain event.sprintf(). If it doesn't you can't use %{varname} references. I mentioned event.sprintf() because it's basically the only way to figure out whether it's supported for a particular field. You can't use it in configuration files.

incogniro · July 2, 2015, 3:29pm

Magnus, I've checked the code and event.sprintf() is used on the majority of the fields and I even used the source from https://github.com/logstash-plugins/logstash-output-syslog/pull/4 for complete support and the plugin still does not allow interpolation!!

magnusbaeck · July 2, 2015, 7:44pm

The code looks right. Are you sure you managed to install and use the patched plugin? You can easily add a logging statement to be 100% sure.