Mapping hardware hostnames from syslogs to Datadog "hostname" attribute #9905
-
|
I am looking to send syslogs from hardware to Vector, and transform this to JSON and remap the hostname attribute from the syslogs to "hostname" so logs in Datadog say they are from that host, not the system doing the relay like syslog-ng does. Is this possible? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Yes! The {
"appname": "non",
"[email protected]": "1011",
"[email protected]": "Application",
"[email protected]": "3",
"facility": "user",
"hostname": "dynamicwireless.name",
"message": "Try to override the THX port, maybe it will reboot the neural interface!",
"msgid": "ID931",
"procid": 2426,
"severity": "notice",
"timestamp": "2020-03-13T20:45:38.119Z",
"version": 1
}So for example your script could look something like this . = parse_syslog!(.message) # replaces the original event with the parsed message field
.host = del(.hostname) # I think DD will use either host or hostname but you can specify as you need |
Beta Was this translation helpful? Give feedback.
-
|
Is there an option to then parse that hostname attribute into more fields? So if a system is |
Beta Was this translation helpful? Give feedback.
-
|
Almost! I've been working on that function, but it hasn't yet landed. Any time, rather than directly assigning to the event entirely ( |
Beta Was this translation helpful? Give feedback.
Yes! The
parse_syslogfunction will return an object like this:{ "appname": "non", "[email protected]": "1011", "[email protected]": "Application", "[email protected]": "3", "facility": "user", "hostname": "dynamicwireless.name", "message": "Try to override the THX port, maybe it will reboot the neural interface!", "msgid": "ID931", "procid": 2426, "severity": "notice", "timestamp": "2020-03-13T20:45:38.119Z", "version": 1 }So for example your script could look something like this