<div dir="ltr"><div><br></div>Sorry if I'm missing this but whats the best way to implement a json filter like these in syslog-ng, Patterndb? <br><div><br></div><div>This is my logstash filter that sends data to a specific syslog-ng PORT for each condition which may grow and become a management headache when there are 6 logstash hosts that will need to support a filter for each breakout needed. </div><div><br></div><div>I'd like to just send everything to a single syslog-ng port and have syslog-ng do the logic. which would then become. </div><div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><br></div><div><div>input {</div></div><div><div>  beats {</div></div><div><div>    port => 5044</div></div><div><div>  }</div></div><div><div>}</div></div><div><br></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">output{</div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div>    tcp {</div></div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div>    host => "loghost"</div></div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div>    port => "5140"</div></div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div>    mode => "client"</div></div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div>    codec => "json_lines"</div></div></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div>    }</div></div></div><div>}</div></blockquote></div><div><b><br></b></div><div><b>Logstash bloated output filters.  </b></div><div><br></div><div>output{</div><div><div><div>  if [type]=="wineventlog" and "DC" in [tags] {</div><div>    tcp {</div><div>    host => "loghost"</div><div>    port => "5142"</div><div>    mode => "client"</div><div>    codec => "json_lines"</div><div>    }</div><div>  } else if [type]=="wineventlog" and "PCI" in [tags] {</div><div>    tcp {</div><div>    host => "loghost"</div><div>    port => "5141"</div><div>    mode => "client"</div><div>    codec => "json_lines"</div><div>    }</div><div>  } else if [type]=="wineventlog" {</div><div>    tcp {</div><div>    host => "loghost"</div><div>    port => "5140"</div><div>    mode => "client"</div><div>    codec => "json_lines"</div><div>    }</div><div>  } else if [type]=="filebeat" and "apache" in [tags] {</div><div>    tcp {</div><div>    host => "loghost"</div><div>    port => "5145"</div><div>    mode => "client"</div><div>    codec => "json_lines"</div><div>    }</div><div>  } else if [type]=="filebeat" and "PCI" in [tags] {</div><div>    tcp {</div><div>    host => "loghost"</div><div>    port => "5144"</div><div>    mode => "client"</div><div>    codec => "json_lines"</div><div>    }</div><div>  } else if [type]=="filebeat" {</div><div>    tcp {</div><div>    host => "loghost"</div><div>    port => "5143"</div><div>    mode => "client"</div><div>    codec => "json_lines"</div><div>    }</div><div> } else {</div><div>    file {</div><div>    path => "/opt/syslog-ng/logs/logstash/%{host}-%{+YYYY-MM-dd}.json"</div><div>    codec => "json_lines"</div><div>    }</div><div>}</div><div>}</div></div></div></div>