h3c设备的syslog日志格式上的开头时间的部分多个年份，格式如下
May 22 09:37:55 2020 L04_39_S_05 %%10L2INF/2/PORT LINK STATUS CHANGE(t):- 1 - Trap 1.3.6.1.6.3.1.1.5.3(linkDown): portIndex is 4227738, ifAdminStatus is 1, ifOperStatus is 2 ",

我的logstash的 conf是如下：
input{
syslog {
host => "10.xx.xx.xx"
port=> 514
type=> “h3c”
}
}
output{
stdout{
codec=>rubydebug
}
}

解析出来的格式如下：
{
“type” => “h3c”,
“facility_label” => “local7”,
“severity” => 4,
“facility” => 23,
“logsource” => “2020”,
“message” => “L04_39_S_05 %%10NTP/5/NTP_LOG(l):- 1 - System leap changes from 3 to 0 after clock update.”,
“priority” => 188,
“host” => “10.4.39.5”,
“timestamp” => “Jun 5 14:20:47”,
“severity_label” => “Warning”,
"@version" => “1”,
"@timestamp" => 2020-06-05T06:20:47.000Z
}
明显看出解析de有错位
logsource 被2020这个年份占据了
我的想法是把原始的日志中的2020去掉
使最终解析出来的格式如下

{
“type” => “h3c”,
“facility_label” => “local7”,
“severity” => 4,
“facility” => 23,
“logsource” => “L04_39_S_05”,
“message” => " - 1 - System leap changes from 3 to 0 after clock update.",
“priority” => 188,
“host” => “10.4.39.5”,
“timestamp” => “Jun 5 14:20:47”,
“severity_label” => “Warning”,
"@version" => “1”,
program =>"%%10NTP/5/NTP_LOG"
"@timestamp" => 2020-06-05T06:20:47.000Z
}

我该如何实现？