Hi,
We have the following architecture:
x2 logstash
x2 Elasticsearch
Logstash is receiving logs and sending them to Elasticsearch. If i view the logs in Kibana we have a field called "full_log" which is containing all the information that we want to send to a remote destination.
We want to send the field "full_log" via the syslog or TCP output plugins.
This is how it looks now and the remote site is not recieving any logs:
else if "wazuh-alerts" in [tags] and "syscheck" in [rule.groups] {
elasticsearch {
hosts => ["192.168.1.40:9200", "192.168.1.41:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM-dd}"
document_type => "wazuh"
user => logstash
password => logstash
ssl => true
ssl_certificate_verification => true
cacert => "/etc/logstash/ssl/root-ca.pem"
}
syslog {
host => "1.1.1.1"
port => 514
protocol => "tcp"
message => "%{full_log}"
}
#stdout {}
}
How do we achieve this?