From 50a3418d7fcc385606c3fe2430a2a9283a72878d Mon Sep 17 00:00:00 2001
From: Alexander Neu <mail@alexanderneu.de>
Date: Thu, 13 Oct 2016 20:40:22 +0200
Subject: [PATCH] Fixes #339 (#356)

Overwrite message with the actual logged message.
---
 elk/10-syslog.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/elk/10-syslog.conf b/elk/10-syslog.conf
index ae03326a..17ff59e6 100644
--- a/elk/10-syslog.conf
+++ b/elk/10-syslog.conf
@@ -1,6 +1,7 @@
 filter {
     grok {
-      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
+      overwrite => [ "message" ]
+      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:message}" }
       add_field => [ "received_at", "%{@timestamp}" ]
       add_field => [ "received_from", "%{host}" ]
       add_field => [ "program", "%{syslog_program}" ]