Syslog output plugin does not translate host

[45hur]

• Version:
  main
• Operating System:
  any
• Config File (if you have sensitive info, please remove it):

input
{
  http
  {
     host => "0.0.0.0"
     port => "80"
     codec => "json"
  }
}
output
{
  if [action] == "syslog"
  {
    syslog
    {
      host => "%{address}"
      appname => "myapp"
      protocol => "tcp"
      severity => "alert"
      facility => "log alert"
      message => "%{body}"
      port => 514
    }
  }

• Sample Data:

{
  "action":"syslog",
  "address":"logstash-syslog",
  "subject":"blabla",
  "body":"bodybody"
}

• Expected results
  Syslog plugin connects to dynamic host defined in field address (=logstash-syslog)

• Actual results
  Syslog plugin loads configuration file definition and uses host from there, it does not dynamically reflect what's inside field address. Message works as expected.

• Steps to Reproduce:
  Run the sample data against the configuration.

• Exception:

[2017-11-18T21:22:02,654][WARN][logstash.outputs.syslog  ] syslog tcp output exception: closing, reconnecting and resending event {:host=>"%{address}", :port=>514, :exception=>#<SocketError: initialize: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyTCPSocket.java:137:in `initialize'", "org/jruby/RubyIO.java:875:in `new'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-syslog-3.0.4/lib/logstash/outputs/syslog.rb:209:in `connect'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-syslog-3.0.4/lib/logstash/outputs/syslog.rb:177:in `publish'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-codec-plain-3.0.4/lib/logstash/codecs/plain.rb:41:in `encode'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-syslog-3.0.4/lib/logstash/outputs/syslog.rb:147:in `receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:92:in `block in multi_receive'", "org/jruby/RubyArray.java:1734:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:92:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator_strategies/legacy.rb:22:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator.rb:49:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:538:in `block in output_batch'", "org/jruby/RubyHash.java:1343:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:536:in `output_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:481:in `worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:439:in `block in start_workers'"], :event=>#<LogStash::Event:0x1d7b4ae4>}

reconnecting and resending event {:host=>"%{address}", ...

[yaauie]

This plugin works by opening a persistent connection and sending packets over that connection; it does not perform per-event string interpolation on the host field because doing so would require a new connection for each possible resulting value, which would in turn require overhead about managing and sharing those connections.

It would be entirely possible to implement this, and we would gladly work with community contributions to add this functionality.

I've opened an enhancement issue; please feel free to track it over there and/or help us implement :)