<div dir="auto">You can parse json using the json-parser() and filter any json name value pair simply with a filter expression.<div dir="auto"><br></div><div dir="auto"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Apr 3, 2018 17:39, "Scot" <<a href="mailto:scotrn@gmail.com">scotrn@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div>Sorry if I'm missing this but whats the best way to implement a json filter like these in syslog-ng, Patterndb? <br><div><br></div><div>This is my logstash filter that sends data to a specific syslog-ng PORT for each condition which may grow and become a management headache when there are 6 logstash hosts that will need to support a filter for each breakout needed. </div><div><br></div><div>I'd like to just send everything to a single syslog-ng port and have syslog-ng do the logic. which would then become. </div><div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><br></div><div><div>input {</div></div><div><div> beats {</div></div><div><div> port => 5044</div></div><div><div> }</div></div><div><div>}</div></div><div><br></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">output{</div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div> tcp {</div></div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div> host => "loghost"</div></div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div> port => "5140"</div></div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div> mode => "client"</div></div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div> codec => "json_lines"</div></div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div> }</div></div></div><div>}</div></blockquote></div><div><b><br></b></div><div><b>Logstash bloated output filters. </b></div><div><br></div><div>output{</div><div><div><div> if [type]=="wineventlog" and "DC" in [tags] {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5142"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else if [type]=="wineventlog" and "PCI" in [tags] {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5141"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else if [type]=="wineventlog" {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5140"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else if [type]=="filebeat" and "apache" in [tags] {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5145"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else if [type]=="filebeat" and "PCI" in [tags] {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5144"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else if [type]=="filebeat" {</div><div> tcp {</div><div> host => "loghost"</div><div> port => "5143"</div><div> mode => "client"</div><div> codec => "json_lines"</div><div> }</div><div> } else {</div><div> file {</div><div> path => "/opt/syslog-ng/logs/logstash/<wbr>%{host}-%{+YYYY-MM-dd}.json"</div><div> codec => "json_lines"</div><div> }</div><div>}</div><div>}</div></div></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div></div>