
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">looks like you might be running into

      the maximum message size.<br>

      Try setting the syslog-ng configuration item<br>

      <br>

      log_msg_size(64K);<br>

      <br>

      <br>

      On 05/10/2017 10:50 AM, Scot wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:CAOxbc8EjLUHyFk=QhWmjfpn8e7pZRotW3SQ5bxeWt+VTbcDCLA@mail.gmail.com">

      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

      <div dir="ltr">Using a RAW TCP seems to be loosing some of the

        beats header data and messages are getting concatenated. 

        <div>

          <div>Trying different options but I'm fumbling. <br>

          </div>

          <div><br>

          </div>

          <div>

            <div>  syslog-ng[4596]: Unparsable JSON stream encountered;

              input='=net"},"message":"Synchronization of a replica of

              an Active Directory naming context has

              begun.\n\nDestination DRA:\tCN=NTDS Settings,CN=...blaaa"</div>

          </div>

          <div><br>

          </div>

          <div><br>

          </div>

          <div>source s_BEATS          {network(port(5140)

            flags(no-parse));}</div>

          <div>

            <div>parser p_json {</div>

            <div>    json-parser (prefix(".json."));</div>

            <div>};</div>

          </div>

          <div>log { source(s_BEATS);  parser(p_json); destination

            (d_file); };<br>

          </div>

          <div><br>

          </div>

          <div><br>

          </div>

          <div>Anyone have a howto or blog for using syslog-ng with json

            inputs ?  </div>

          <div>I'm looking at the syslog-ng-ose-latest-guides but it's

            hard to put all the input output and parser requirements

            together.  </div>

          <div><br>

          </div>

          <div>Trying to get here </div>

          <div>winlogbeat->syslog-ng->ES   </div>

          <div>winlogbeat->syslog-ng->SPLUNKForwader</div>

          <div>winlogbeat->syslog-ng->/opt/syslog-ng/logs/$FROM_HOST.json <br>

          </div>

          <div class="gmail_extra"><br>

            <div class="gmail_quote">or </div>

            <div class="gmail_quote">

              <div>winlogbeat->logstash->syslog-ng->ES   </div>

              <div>...</div>

              <div><br>

              </div>

            </div>

            <div class="gmail_quote">On Tue, May 9, 2017 at 3:27 AM,

              Fabien Wernli <span dir="ltr"><<a

                  href="mailto:wernli@in2p3.fr" target="_blank"

                  moz-do-not-send="true">wernli@in2p3.fr</a>></span>

              wrote:<br>

              <blockquote class="gmail_quote" style="margin:0px 0px 0px

                0.8ex;border-left:1px solid

                rgb(204,204,204);padding-left:1ex">Hi,<br>

                <span><br>

                  On Mon, May 08, 2017 at 11:30:14PM +0000, Scot wrote:<br>

                  > I'm trying to find a solution that will let me

                  mirror my beats data like<br>

                  > syslog-ng lets me do with syslog traffic.<br>

                  <br>

                </span>As far as I know those tools simply send the data

                over TCP in JSON format.<br>

                If you just need to do routing using syslog-ng, you can

                simply use network<br>

                source with flags(no-parse). If you need to process the

                data using<br>

                syslog-ng, you'll also need the json-parser().<br>

                <br>

                Cheers<br>

                <br>

                ______________________________<wbr>______________________________<wbr>__________________<br>

                Member info: <a

                  href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"

                  rel="noreferrer" target="_blank"

                  moz-do-not-send="true">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>

                Documentation: <a

                  href="http://www.balabit.com/support/documentation/?product=syslog-ng"

                  rel="noreferrer" target="_blank"

                  moz-do-not-send="true">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>

                FAQ: <a

                  href="http://www.balabit.com/wiki/syslog-ng-faq"

                  rel="noreferrer" target="_blank"

                  moz-do-not-send="true">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>

                <br>

              </blockquote>

            </div>

            <br>

          </div>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">______________________________________________________________________________

Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>

Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>

FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>


</pre>

    </blockquote>

    <p><br>

    </p>

    <pre class="moz-signature" cols="500">-- 

Evan Rempel                                      <a class="moz-txt-link-abbreviated" href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>

Senior Systems Administrator                        250.721.7691

Data Centre Services, University Systems, University of Victoria 

</pre>

  </body>

</html>