Home > database >  Logstash Grok filter add local hostname
Logstash Grok filter add local hostname

Time:09-28

I have a 4 instance Nagios Log Server cluster that processes logs from multiple servers. I would like a log entry to have the name of the Log server that processed it. I have been looking at the 'add_field' and trying to get something to work that takes the name of the local processing log server and adds it as a field called "processingLogServer";

    if [type] == 'Log' {
    grok {
        match => [ 'message', '%{TIME:logTime}%{GREEDYDATA:logEntry}' ]
    }
    mutate {
        remove_field => [ '@version', 'highlight', 'port', 'SourceModuleType', 'EventReceivedTime', 'message' ]
add_field => [ 'processingLogServer', 'hostname' ]
    }
}

CodePudding user response:

The solution I needed was to use ruby, as per https://discuss.elastic.co/t/logstash-hostname-as-field/146662

filter {
  ruby {
    init => "require 'socket'"
    code => "event['some-field-name'] = Socket.gethostname"
  }
}

CodePudding user response:

You can use environment variables in your logstash configuration file. So you can use that to add server-dependent information to your logs:

On Windows, the COMPUTERNAME environment can be used for that:

mutate {
    add_field => { "processingLogServer" => "${COMPUTERNAME}" }
}

On Linux system, you should be able to use the HOSTNAME environment variable.

Or you can use the host field, that's automatically created and set by logstash.

You can copy the content of a field like this:

mutate {
    add_field => { "processingLogServer" => "%{host}" }
}

Page link:https//www.codepudding.com/database/557839.html

Prev:Does Elasticsearch execute operations in a specific order?
Next:Logstash pipeline adding extra timestamp%{host} in beginning of rsyslog message
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding