Projects
/
LOGSTASH-1135

Set facility & severity for syslog output

Description

I'm unable to set severity and facility fields for output syslog with a variable value.(Variables: "syslog_facility":"clock","syslog_severity":"informational"...)

output {
syslog {
type => "syslog-relay"
facility => "%{syslog_facility}"
severity => "%{syslog_severity}"
host => "172.19.2.240"
port => 514
}
}

The error is:
Invalid setting for syslog output plugin:

output {
syslog {

  1. This setting must be a ["kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"]

  2. Expected one of ["kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"], got ["%{syslog_facility}"]
    facility => ["%{syslog_facility}"]
    ...
    }
    } {:level=>:error}

Activity

Show:
Matthew Whitaker
August 8, 2013, 8:50 PM
Edited

Hi,

I also need to able to use this facility, I am using rsyslog to monitor a file, then I was using logstash to parse and extract the severity, facility etc to forward to a new host. I was hoping to dynamically assign these to the output. See logstash.conf file I am using below

Thanks

Matt

filter {
grok {
type => "syslog"
patterns_dir => [ "/home/whitakma/Downloads/grok/grok-master/patterns" ]
pattern => [ "%{DATESTAMP:syslogDate}%{SPACE}%{GREEDYDATA:msgRemainder}" ]
}
mutate {
type => "syslog"
replace => [ "@message", "%{msgRemainder}" ]
}
mutate {
type => "syslog"
remove => [ "msgRemainder"]
}
grok {
type => "syslog"
patterns_dir => [ "/home/whitakma/Downloads/grok/grok-master/patterns" ]
pattern => [ "%{SYSLOGFAC:syslogFac}%{NOTSPACE}%{SYSLOGSEV:syslogSev}" ]
}
mutate {
type => "syslog"
replace => [ "@facility", "%{syslogFac}" ]
replace => [ "@priority", "%{syslogSev}" ]
}
}
output {
stdout {
debug => true
#debug_format => "json"
}
syslog {
host => "x.x.x.x"
port => 514
facility => "local0" <<--
severity => "alert"
}

Bryan Venable
November 22, 2013, 9:35 PM

This is still the case in 1.2.2, need a solution.

Piotr Popieluch
February 9, 2014, 9:25 PM
Jason Kendall
March 5, 2014, 5:36 PM

Duplicate

Jason Kendall
March 5, 2014, 5:36 PM

Duplicate of linked issue

Duplicate

Assignee

Jason Kendall

Reporter

Lucio

Labels

Affects versions

Configure