Logstash output to AlienVault (OSSIM)

Question

I have the following topology:

rsyslog clients -> logstash server -> elasticsearch & another logstash & alienvault & local file

The problem is that alienvault wants just the raw message, without any json fields. How could i send only to alienvault just the value of the "message" field?

Until now i have made something like this: - in logstash, in filter i have configured clone { clones => ["alien"] }. - all the remaining filtering is above this line - after all the other filtering i have something like...if [type] == "alien" -> mutate -> remove_field (all the fields except for the [type]; - in logstash output i have if [type] == "alien" udp { host, port, etc}

But AlienVault still receives something like this:

Aug 31 17:01:41 {"message": "Aug 31 09:01:35 bkp1 sshd[10538]: Connection from port ","type":"alien"}

and i want AlienVault to receive just "Aug 31 09:01:35 bkp1 sshd[10538]: Connection from port "

Is this possible with logstash?

Thanks

Answer 1

Ok, after two days i finally figured out (in case anyone else needs this). So this is the output for AlienVault:

tcp { host => "" port => "" message_format => "%{message}" codec => line { format => "%{message}" } }

P.S. I think you need it to be tcp because you need that "message_format" which is not available on the udp output.