Hi there,
I’m experimenting with the JSON output and wanting to manually feed logs to logstash via ‘cat | nc’. Is it possible to have the JSON output write the datatype or ‘path’ value similar to what is wrtiten as a metadata field at the top of ascii logs, but include it in each record for easy parsing in Logstash?
Thanks,
Chris
Hi Chris,
I'm experimenting with the JSON output and wanting to manually feed logs to
logstash via 'cat | nc'. Is it possible to have the JSON output write the
datatype or 'path' value similar to what is wrtiten as a metadata field at
the top of ascii logs, but include it in each record for easy parsing in
Logstash?
yes, this is possible using log extension functions, more specifically by
redefining Log::default_ext_func
(base/frameworks/logging/main.bro — Bro 2.6.1 documentation).
Bro actually contains a testcase that has a script that basically does
exactly what you want:
https://github.com/bro/bro/blob/master/testing/btest/scripts/base/frameworks/logging/field-extension.bro
That script adds three fields to each logfile (_write_ts, _stream, and
_system_name). For your case, you only want _stream, but apart from that
this approach should directly work for you.
I hope this helps,
Johanna