foo

#!/bin/sh
echo $* >> /tmp/foo
cat >> /tmp/foo

logstash.conf

 input {
   stdin {
     type => "stuff"
   }
 }

 filter {
   mutate {
     type => "stuff"
     add_field => [ "nagios_service", "JAMJAMJAM" ]
   }
   mutate {
     type => "stuff"
     add_field => [ "nagios_status", "0" ]
   }
   mutate {
     type => "stuff"
     add_field => [ "nagios_service", "MARMALADE" ]
   }
   mutate {
     type => "stuff"
     add_field => [ "nagios_status", "1" ]
   }
 }

 # Specifically, I'm trying to generate:
 # "@fields": {
 #    nagios_status: [0, 0]
 #    nagios_service: ["JAM", "MARM"]
 # }

 output {
   mynagios_nsca {
     type    => "stuff"
     send_nsca_bin => "/home/tdoran/foo"
     nagios_status_field => "nagios_status"
     nagios_service_field => "nagios_service"
   }
 }

logstash_console.txt

ldn-dev-tdoran ~ $ /usr/bin/java -jar /opt/logstash-monolithic.jar agent --pluginpath /home/tdoran/logstash_plugins/ --config /home/tdoran/logstash.conf
Using experimental plugin 'mynagios_nsca'. This plugin is untested and may change in the future. For more information about plugin statuses, see http://logstash.net/docs/1.1.12/plugin-status  {:level=>:warn}
FIRST
Running send_nsca command {"nagios_nsca_command"=>"echo 'ldn-dev-tdoran~JAMJAMJAM~0~2013-06-27T20:00:53.839Z stdin://ldn-dev-tdoran/: FIRST' | /home/tdoran/foo -H localhost -p 5667 -d '~' 2>/dev/null >/dev/null", :level=>:warn}
SECOND
FINISHED Running send_nsca command {"nagios_nsca_command"=>"echo 'ldn-dev-tdoran~JAMJAMJAM~0~2013-06-27T20:00:53.839Z stdin://ldn-dev-tdoran/: FIRST' | /home/tdoran/foo -H localhost -p 5667 -d '~' 2>/dev/null >/dev/null", :level=>:warn}
Running send_nsca command {"nagios_nsca_command"=>"echo 'ldn-dev-tdoran~MARMALADE~1~2013-06-27T20:00:53.839Z stdin://ldn-dev-tdoran/: FIRST' | /home/tdoran/foo -H localhost -p 5667 -d '~' 2>/dev/null >/dev/null", :level=>:warn}
THIRD
FINISHED Running send_nsca command {"nagios_nsca_command"=>"echo 'ldn-dev-tdoran~MARMALADE~1~2013-06-27T20:00:53.839Z stdin://ldn-dev-tdoran/: FIRST' | /home/tdoran/foo -H localhost -p 5667 -d '~' 2>/dev/null >/dev/null", :level=>:warn}
Running send_nsca command {"nagios_nsca_command"=>"echo 'ldn-dev-tdoran~JAMJAMJAM~0~2013-06-27T20:00:56.767Z stdin://ldn-dev-tdoran/: SECOND' | /home/tdoran/foo -H localhost -p 5667 -d '~' 2>/dev/null >/dev/null", :level=>:warn}

mynagios_nsca.rb

require "logstash/outputs/base"
require "logstash/namespace"

# The nagios_nsca output is used for sending passive check results to Nagios
# through the NSCA protocol.
#
# This is useful if your Nagios server is not the same as the source host from
# where you want to send logs or alerts. If you only have one server, this
# output is probably overkill # for you, take a look at the 'nagios' output
# instead.
#
# Here is a sample config using the nagios_nsca output:
#     output {
#       nagios_nsca {
#         # specify the hostname or ip of your nagios server
#         host => "nagios.example.com"
#
#         # specify the port to connect to
#         port => 5667
#       }
#     }

class LogStash::Outputs::MynagiosNsca < LogStash::Outputs::Base

  config_name "mynagios_nsca"
  plugin_status "experimental"

  # The status to send to nagios. Should be 0 = OK, 1 = WARNING, 2 = CRITICAL, 3 = UNKNOWN
  config :nagios_status, :validate => :string

  config :nagios_status_field, :validate => :string
  config :nagios_service_field, :validate => :string

  # The nagios host or IP to send logs to. It should have a NSCA daemon running.
  config :host, :validate => :string, :default => "localhost"

  # The port where the NSCA daemon on the nagios host listens.
  config :port, :validate => :number, :default => 5667

  # The path to the 'send_nsca' binary on the local host.
  config :send_nsca_bin, :validate => :path, :default => "/usr/sbin/send_nsca"

  # The path to the send_nsca config file on the local host.
  # Leave blank if you don't want to provide a config file.
  config :send_nsca_config, :validate => :path

  # The nagios 'host' you want to submit a passive check result to. This
  # parameter accepts interpolation, e.g. you can use @source_host or other
  # logstash internal variables.
  config :nagios_host, :validate => :string, :default => "%{@source_host}"

  # The nagios 'service' you want to submit a passive check result to. This
  # parameter accepts interpolation, e.g. you can use @source_host or other
  # logstash internal variables.
  config :nagios_service, :validate => :string, :default => "LOGSTASH"

  public
  def register
    if @nagios_service_field and not @nagios_status_field
      raise("You have set nagios_service_field but not nagios_status_field - unsupported")
    end
    if @nagios_status_field and not @nagios_service_field
      raise("You have set nagios_status_field but not nagios_service_field - unsupported")
    end
  end

  public
  def receive(event)

    @logger.debug("receive called", "event" => event)
    # exit if type or tags don't match
    return unless output?(event)

    # catch logstash shutdown
    if event == LogStash::SHUTDOWN
      finished
      return
    end

    # skip if 'send_nsca' binary doesn't exist
    if !File.exists?(@send_nsca_bin)
      @logger.warn("Skipping nagios_nsca output; send_nsca_bin file is missing",
                   "send_nsca_bin" => @send_nsca_bin, "missed_event" => event)
      return
    end

    if @nagios_service_field and @nagios_status_field
      statuses = event[@nagios_status_field].to_a
      services = event[@nagios_service_field].to_a

      @logger.debug(" STATUSES: #{statuses.join(', ')} SERVICES: #{services.join(', ')}")

      if statuses.size != services.size
        @logger.warn("Skipping nagios_nsca output; field #{@nagios_service_field} had different number of entries to #{@nagios_status_field}", "missed_event" => event)
        return
      end

      services.each do |service|
        @logger.debug("WORK FOR ONE SERVICE #{service}")
        send_event(event, service, statuses.shift)
        @logger.debug('send_event returned')
      end
    else
      send_event(event, event.sprintf(@nagios_service), event.sprintf(@nagios_status))
    end
  end # receive

  def send_event(event, nagios_service, status)
    @logger.debug("send_event called", "event" => event, "nagios_service" => nagios_service, "status" => status)
    # interpolate params
    nagios_host = event.sprintf(@nagios_host)

    # escape basic things in the log message
    # TODO: find a way to escape the message correctly
    msg = event.to_s
    msg.gsub!("\n", "<br/>")
    msg.gsub!("'", "&#146;")

    if status.to_i.to_s != status # Check it round-trips to int correctly
      msg = "status '#{status}' is not numeric"
      status = 2
    else
      status = status.to_i
      if status > 3 || status < 0
         msg "status must be > 0 and <= 3, not #{status}"
         status = 2
      end
    end

    # build the command
    # syntax: echo '<server>!<nagios_service>!<status>!<text>'  | \
    #           /usr/sbin/send_nsca -H <nagios_host> -d '!' -c <nsca_config>"
    cmd = %(echo '#{nagios_host}~#{nagios_service}~#{status}~#{msg}' |)
    cmd << %( #{@send_nsca_bin} -H #{@host} -p #{@port} -d '~')
    cmd << %( -c #{@send_nsca_config}) if @send_nsca_config
    cmd << %( 2>/dev/null >/dev/null)
    @logger.warn("Running send_nsca command", "nagios_nsca_command" => cmd)

    system("#{cmd}")
    @logger.warn("FINISHED Running send_nsca command", "nagios_nsca_command" => cmd)

  end # def send_event
end # class LogStash::Outputs::NagiosNsca

nsca_command_run.txt

ldn-dev-tdoran ~ $ touch /tmp/foo
ldn-dev-tdoran ~ $ tail -f /tmp/foo
-H localhost -p 5667 -d ~
ldn-dev-tdoran~JAMJAMJAM~0~2013-06-27T20:00:53.839Z stdin://ldn-dev-tdoran/: FIRST
-H localhost -p 5667 -d ~
ldn-dev-tdoran~MARMALADE~1~2013-06-27T20:00:53.839Z stdin://ldn-dev-tdoran/: FIRST
-H localhost -p 5667 -d ~
ldn-dev-tdoran~JAMJAMJAM~0~2013-06-27T20:00:56.767Z stdin://ldn-dev-tdoran/: SECOND