<div dir="ltr"><div><div>Hi,<br><br></div>Could you share your Logstash configuration with us? (At least the part which can be anonimized) I don't have much Logstash experience, but can help you figuring out which are the corresponding syslog-ng features. In the end it could be used as a Logstash to syslog-ng guide.<br><br></div>Bye,<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Peter Czanik (CzP) <<a href="mailto:peter.czanik@balabit.com" target="_blank">peter.czanik@balabit.com</a>><br>Balabit / syslog-ng upstream<br><a href="https://www.balabit.com/blog/author/peterczanik/" target="_blank">https://www.balabit.com/blog/author/peterczanik/</a><br><a href="https://twitter.com/PCzanik" target="_blank">https://twitter.com/PCzanik</a></div></div></div></div>
<br><div class="gmail_quote">On Mon, Apr 24, 2017 at 3:42 PM, C. L. Martinez <span dir="ltr"><<a href="mailto:carlopmart@gmail.com" target="_blank">carlopmart@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
 I would like to drop Logstash collector from our ELK infrastructure and use syslog-ng instead. This ELK infrastructure collects, report and show dashboards about security devices: firewalls, anti-spam devices, etc.<br>
<br>
 Most of these logs arrives from rsyslog collectors (deployed in several linux and BSD machines). I have seen in Balabit's blog page how this could be done: <a href="https://www.balabit.com/blog/how-to-parse-data-with-syslog-ng-store-in-elasticsearch-and-analyze-with-kibana/" rel="noreferrer" target="_blank">https://www.balabit.com/blog/<wbr>how-to-parse-data-with-syslog-<wbr>ng-store-in-elasticsearch-and-<wbr>analyze-with-kibana/</a> and <a href="https://www.balabit.com/blog/collecting-and-parsing-suricata-logs-using-syslog-ng/" rel="noreferrer" target="_blank">https://www.balabit.com/blog/<wbr>collecting-and-parsing-<wbr>suricata-logs-using-syslog-ng/</a><wbr>.<br>
<br>
 The most important point here is to test all configured logstash filters inside syslog-ng: GeoIP patterns, some substitution params, etc. Any tips or tricks to accomplish this type of change?<br>
<br>
Many thanks.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Greetings,<br>
C. L. Martinez<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
</font></span></blockquote></div><br></div>