We need to forward a field to remote destination


We have the following architecture:

x2 logstash
x2 Elasticsearch

Logstash is receiving logs and sending them to Elasticsearch. If i view the logs in Kibana we have a field called "full_log" which is containing all the information that we want to send to a remote destination.

We want to send the field "full_log" via the syslog or TCP output plugins.

This is how it looks now and the remote site is not recieving any logs:

else if "wazuh-alerts" in [tags] and "syscheck" in [rule.groups] {
    elasticsearch {
        hosts => ["", ""]
        index => "wazuh-alerts-3.x-%{+YYYY.MM-dd}"
        document_type => "wazuh"
        user => logstash
        password => logstash
        ssl => true
        ssl_certificate_verification => true
        cacert => "/etc/logstash/ssl/root-ca.pem"
    syslog {
                    host => ""
                    port => 514
                    protocol => "tcp"
                    message => "%{full_log}"
    #stdout {}

How do we achieve this?

Does rule.groups really contains a period in the name or do you mean [rule][groups] ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.