Question
How do I keep %{message} from being truncated when passing it as a parameter to a script?
Situation
I have logstash set up to tag specific errors, the cause of the error, and the error solution (if I know of one). I have a bit in my config file like the below.
exec {
command => "Powershell C:\ELK-Stack\logstash\bin\SendEmail.ps1 -source %{source} -message %{message} -error %{error_cause_} -solution %{error_troubleshoot_}"
}
The above works, the only problem is I only get the first word from each of these fields.
What I Tried
I remembered that [message] gets broken down in to smaller pieces which are then analyzed. So I tried allowing an array of strings as the parameter and joining them together. I have had no luck.
The issue was not logstash. The issue was the way I was calling my Powershell script. changing
exec {
command => "Powershell C:\ELK-Stack\logstash\bin\SendEmail.ps1 -source %{source} -message %{message} -error %{error_cause_} -solution %{error_troubleshoot_}"
}
to
exec {
command => "Powershell -file C:\ELK-Stack\logstash\bin\SendEmail.ps1 -source %{source} -message \"%{message}\" -error \"%{error_cause_}\" -solution \"%{error_troubleshoot_}\""
}
Fixed my issue.