<div dir="ltr">Yep, works great! Outgoing seems to add a \n just before the closing quote but much better.  <div>Now I should be able to have one json stream from my remote logstash server to syslog-ng broker. </div><div><br></div><div><div><br></div><div><div>[2017-05-11T23:37:33.500956] Incoming log entry; line='{"scheme":"http","ip":"192.168.1.16","tcp_connect_rtt":{"us":2000},"monitor":"http@<a href="http://192.168.1.16:9200">http://192.168.1.16:9200</a>","type":"http","http_rtt":{"us":2000},"url":"<a href="http://192.168.1.16:9200">http://192.168.1.16:9200</a>","tags":["beats_input_raw_event"],"duration":{"us":5000},"rtt":{"us":4000},"@timestamp":"2017-05-12T03:37:37.258Z","port":9200,"response":{"status":200},"beat":{"hostname":"TYLER-LAPTOP","name":"TYLER-LAPTOP","version":"5.4.0"},"@version":"1","host":"TYLER-LAPTOP","up":true}'</div><div><br></div><div>[2017-05-11T23:37:33.501033] Message parsing complete; result='1'</div><div><br></div><div>[2017-05-11T23:37:33.501109] Outgoing message; message='{"scheme":"http","ip":"192.168.1.16","tcp_connect_rtt":{"us":2000},"monitor":"http@<a href="http://192.168.1.16:9200">http://192.168.1.16:9200</a>","type":"http","http_rtt":{"us":2000},"url":"<a href="http://192.168.1.16:9200">http://192.168.1.16:9200</a>","tags":["beats_input_raw_event"],"duration":{"us":5000},"rtt":{"us":4000},"@timestamp":"2017-05-12T03:37:37.258Z","port":9200,"response":{"status":200},"beat":{"hostname":"TYLER-LAPTOP","name":"TYLER-LAPTOP","version":"5.4.0"},"@version":"1","host":"TYLER-LAPTOP","up":true}</div></div><div>'</div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 11, 2017 at 11:24 PM, Evan Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">To remove the time and host from the output you need to define a template to use with your destination.<br>
The template should be "$MESSAGE\n"<span class="im HOEnZb"><br>
<br>
<br>
On 05/11/2017 06:55 PM, Scot wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Forgot to post the debut output. How would I remove the "time and host" prefix added by syslog-ng to the output ?<br>
</blockquote>
<br></span><div class="HOEnZb"><div class="h5">
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>