Reputation: 73
Logstash Grok filter add local hostname
I have a 4 instance Nagios Log Server cluster that processes logs from multiple servers. I would like a log entry to have the name of the Log server that processed it. I have been looking at the 'add_field' and trying to get something to work that takes the name of the local processing log server and adds it as a field called "processingLogServer";
if [type] == 'Log' {
grok {
match => [ 'message', '%{TIME:logTime}%{GREEDYDATA:logEntry}' ]
}
mutate {
remove_field => [ '@version', 'highlight', 'port', 'SourceModuleType', 'EventReceivedTime', 'message' ]
add_field => [ 'processingLogServer', 'hostname' ]
}
}
Upvotes: 0
Views: 1228
Answers (2)
Reputation: 73
The solution I needed was to use ruby, as per https://discuss.elastic.co/t/logstash-hostname-as-field/146662
filter {
ruby {
init => "require 'socket'"
code => "event['some-field-name'] = Socket.gethostname"
}
}
Upvotes: 2
Reputation: 4110
You can use environment variables in your logstash configuration file. So you can use that to add server-dependent information to your logs:
On Windows, the COMPUTERNAME environment can be used for that:
mutate {
add_field => { "processingLogServer" => "${COMPUTERNAME}" }
}
On Linux system, you should be able to use the HOSTNAME environment variable.
Or you can use the host field, that's automatically created and set by logstash.
You can copy the content of a field like this:
mutate {
add_field => { "processingLogServer" => "%{host}" }
}
Upvotes: 0
Related Questions
- elastic search grok filter
- Creating custom grok filters
- Logstash filter for ip
- Error in grok filter which starting logstash
- Filter logs with grok in logstash
- Custom grok filter for logstash
- Logstash Filter Grok for custom log
- logstash grok filter for custom logs
- Configuring Logstash filters
- Logstash Indexing