Syslog output plugin message parameter ignored

mutt13y · February 5, 2024, 6:09pm

the message parameter for the syslog output plugin is documented as used to set the syslog message (default "%{message}")

The parameter is defined here logstash-output-syslog/lib/logstash/outputs/syslog.rb at main · logstash-plugins/logstash-output-syslog · GitHub

but it is never used in the plugin instead the message is constructed form the payload logstash-output-syslog/lib/logstash/outputs/syslog.rb at main · logstash-plugins/logstash-output-syslog · GitHub

if I configure as follows

syslog {
    host       => "172.16.0.1"
    port       => 514
    protocol   => "tcp"
    msgid      => "logstash"
    procid      => "%{[log][syslog][msgid]}"
    facility   => "%{[log][syslog][facility][name]}"
    priority   => "%{[log][syslog][priority][name]}"
    sourcehost => "%{[log][hostname]}"
    message    => "___ A ___"
  }

the output message is simply constructed from the event message

Something like

message = event.sprintf(@message)
if  message.nil?
   message = payload.to_s.rstrip.gsub(/[\r][\n]/, "\n").gsub(/[\n]/, '\n')
end

and setting the default value of message to nil should do the job and somewhat preserve compatibility

Badger · February 5, 2024, 8:05pm

Not so. It is referenced here. plain is the default codec in the base output.

mutt13y · February 6, 2024, 8:40am

With this output config the syslog message field is not set to ___A___ it is just set to the message field of the event.

output {
  syslog {
    host       => "10.0.0.1"
    port       => 514
    protocol   => "tcp"
    rfc        => "rfc5424"        # Needed for msgid
    msgid      => "_logstash_"
    sourcehost => "%{[log][hostname]}"
    message    => "___ A ___"  # This does not work
   }
}

Question:

config :format, :validate => :string

What does this do as default is it nil or ""

I can't quite follow mixin

somehow one of these conditions must be false

 if @codec.class.name == "LogStash::Codecs::Plain"
      if @codec.config["format"].nil?
        @codec = LogStash::Codecs::Plain.new({"format" => @message})
      end
    end

The message parameter of the syslog codec is being ignored

Badger · February 16, 2024, 5:22pm

I think this issue covers this. The == does not work as expected. The issue includes a workaround.

system · March 15, 2024, 5:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.