Problem: CEF codec munges fields before syslog_relay method
The decode method uses the codec first
The CEF codec overwrites the message field, and puts the syslog data into a field called syslog
If using the CEF codec, and the severity, facility (and/or priority) are not contained as a CEF field, these cannot be easily extracted without needing another plugin. The timestamp also would require another step.
Proposed Solution
Allow for a customizable syslog_field configuration option.
This field will default to message, which will make it completely transparent to all current users.
The combination of the recently added grok_pattern and this new syslog_field should allow the syslog input plugin to completely handle CEF (or other codec formats) while preserving the syslog extracted data.
Problem: CEF codec munges fields before
syslog_relaymethoddecodemethod uses the codec firstmessagefield, and puts the syslog data into a field calledsyslogProposed Solution
syslog_fieldconfiguration option.This field will default to
message, which will make it completely transparent to all current users.The combination of the recently added
grok_patternand this newsyslog_fieldshould allow the syslog input plugin to completely handle CEF (or other codec formats) while preserving the syslog extracted data.