Search code examples
parsingloggingdevopskibanafluentd

How to add severity, facility field to Kibana with fluentd parse?

I use rsyslog with the default config, traditional template. Rsyslog sends all syslog to fluentd.

My fluentd config:

<source>
 @type syslog
 port 5140
 tag rsyslog
</source>

<match rsyslog.*.*>
 @type elasticsearch
 host localhost
 port 9200
 logstash_format true
</match>

Kibana:

enter image description here

How to add severity and facility fields to Kibana?

Solution

  • You can configure severity_key (https://docs.fluentd.org/input/syslog#severity_key) and facility_key (https://docs.fluentd.org/input/syslog#facility_key) config to extract severity and facility. So something like this should work:

    <source>
 @type syslog
 port 5140
 tag rsyslog
 severity_key severity
 facility_key facility
</source>