Logstash Grok filter add local hostname
Question
I have a 4 instance Nagios Log Server cluster that processes logs from multiple servers. I would like a log entry to have the name of the Log server that processed it. I have been looking at the 'add_field' and trying to get something to work that takes the name of the local processing log server and adds it as a field called "processingLogServer";
if [type] == 'Log' {
grok {
match => [ 'message', '%{TIME:logTime}%{GREEDYDATA:logEntry}' ]
}
mutate {
remove_field => [ '@version', 'highlight', 'port', 'SourceModuleType', 'EventReceivedTime', 'message' ]
add_field => [ 'processingLogServer', 'hostname' ]
}
}
2 answers
solution1
1 2022-09-27 12:39:39
The solution I needed was to use ruby, as per https://discuss.elastic.co/t/logstash-hostname-as-field/146662
filter {
ruby {
init => "require 'socket'"
code => "event['some-field-name'] = Socket.gethostname"
}
}
solution2
0 2022-09-26 09:36:05
You can use environment variables in your logstash configuration file. So you can use that to add server-dependent information to your logs:
On Windows, the COMPUTERNAME environment can be used for that:
mutate {
add_field => { "processingLogServer" => "${COMPUTERNAME}" }
}
On Linux system, you should be able to use the HOSTNAME environment variable.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.