Hi, I’m currently sending Cyxtera json logs to our syslog-ng server via syslog-ng but for some reason I’m not able to get all of the data to parse out correctly. It’s being parsed out with _json. I was at some point able to get the message in json form but all the data was within a MESSAGE bracket. This is where I’m at now. Looks like it parses correctly but it’s all under _json. Is there a way to remove that and keep everything else? This is what my syslog-ng looks like. @version:3.14 @include "scl.conf" # syslog-ng configuration file. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/ ###################################### #Sources ###################################### source s_cyxtera { tcp(port(51404) flags(no-parse)); }; ###################################### #Destinations ###################################### destination d_cyxtera { file("/data/log/syslog/cyxtera/$HOST/$YEAR-$MONTH-$DAY-cyxtera.log" template("$(format-json --scope dot-nv-pairs)\n")); }; ###################################### # Parser ###################################### parser p_json { json-parser (prefix(".json.")); }; ###################################### # Log ###################################### log { source( s_cyxtera); parser(p_json); destination(d_cyxtera); }; options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); owner("usr01"); group("usr01"); dir-owner("user01"); dir-group("user01"); dir-perm(0755); perm(0755); }; This is how the data is showing up in splunk. I had to clear some info but these are the main keys showing up. I have to expand _json: to get everything inside the key. I want it where I don’t have the _json and everything else shows as their individual key. Hope this makes sense. I know I’m using some of the wrong terminology. [cid:image001.png@01D49851.505CD0E0] Thank you, Julio Garcia Pro, Information Security Engineer CoreLogic Direct (949) 214-1284 Mobile (714) 474-5254 julgarcia@corelogic.com<mailto:julgarcia@corelogic.com> corelogic.com<http://www.corelogic.com/> | Blog<http://www.corelogic.com/blog/default.aspx> LinkedIn<http://www.linkedin.com/company/corelogic> | Twitter<http://twitter.com/corelogicinc> | Facebook<http://www.facebook.com/CoreLogic> | Google+<https://plus.google.com/114618839782139347829> Our Vision: Deliver unique property-level insights that power the global real estate economy ****************************************************************************************** This message may contain confidential or proprietary information intended only for the use of the addressee(s) named above or may contain information that is legally privileged. If you are not the intended addressee, or the person responsible for delivering it to the intended addressee, you are hereby notified that reading, disseminating, distributing or copying this message is strictly prohibited. If you have received this message by mistake, please immediately notify us by replying to the message and delete the original message and any copies immediately thereafter. Thank you. ****************************************************************************************** CLLD
