Hi, Could you share your Logstash configuration with us? (At least the part which can be anonimized) I don't have much Logstash experience, but can help you figuring out which are the corresponding syslog-ng features. In the end it could be used as a Logstash to syslog-ng guide. Bye, Peter Czanik (CzP) <peter.czanik@balabit.com> Balabit / syslog-ng upstream https://www.balabit.com/blog/author/peterczanik/ https://twitter.com/PCzanik On Mon, Apr 24, 2017 at 3:42 PM, C. L. Martinez <carlopmart@gmail.com> wrote:
Hi all,
I would like to drop Logstash collector from our ELK infrastructure and use syslog-ng instead. This ELK infrastructure collects, report and show dashboards about security devices: firewalls, anti-spam devices, etc.
Most of these logs arrives from rsyslog collectors (deployed in several linux and BSD machines). I have seen in Balabit's blog page how this could be done: https://www.balabit.com/blog/how-to-parse-data-with-syslog- ng-store-in-elasticsearch-and-analyze-with-kibana/ and https://www.balabit.com/blog/collecting-and-parsing- suricata-logs-using-syslog-ng/.
The most important point here is to test all configured logstash filters inside syslog-ng: GeoIP patterns, some substitution params, etc. Any tips or tricks to accomplish this type of change?
Many thanks.
-- Greetings, C. L. Martinez ____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq