We need to forward a field to remote destination

victor.nilsson · June 25, 2019, 8:49am

Hi,

We have the following architecture:

x2 logstash
x2 Elasticsearch

Logstash is receiving logs and sending them to Elasticsearch. If i view the logs in Kibana we have a field called "full_log" which is containing all the information that we want to send to a remote destination.

We want to send the field "full_log" via the syslog or TCP output plugins.

This is how it looks now and the remote site is not recieving any logs:

else if "wazuh-alerts" in [tags] and "syscheck" in [rule.groups] {
    elasticsearch {
        hosts => ["192.168.1.40:9200", "192.168.1.41:9200"]
        index => "wazuh-alerts-3.x-%{+YYYY.MM-dd}"
        document_type => "wazuh"
        user => logstash
        password => logstash
        ssl => true
        ssl_certificate_verification => true
        cacert => "/etc/logstash/ssl/root-ca.pem"
    }
    syslog {
                    host => "1.1.1.1"
                    port => 514
                    protocol => "tcp"
                    message => "%{full_log}"
           }
    #stdout {}
  }

How do we achieve this?

Badger · June 25, 2019, 2:37pm

Does rule.groups really contains a period in the name or do you mean [rule][groups] ?

system · July 23, 2019, 2:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.