Hi, I’m currently sending Cyxtera json logs to our syslog-ng server via syslog-ng but for some reason I’m not able to get all of the data to parse out correctly. It’s being parsed out with _json. I was at some point able to get the message in json form but all the data was within a MESSAGE bracket.

 

This is where I’m at now. Looks like it parses correctly but it’s all under _json. Is there a way to remove that and keep everything else?

 

This is what my syslog-ng looks like.

 

@version:3.14

@include "scl.conf"

 

# syslog-ng configuration file.

#

# See syslog-ng(8) and syslog-ng.conf(5) for more information.

#

# Note: it also sources additional configuration files (*.conf)

#       located in /etc/syslog-ng/conf.d/

 

######################################

#Sources

######################################

 

source s_cyxtera {

tcp(port(51404) flags(no-parse));

};

 

######################################

#Destinations

######################################

 

destination d_cyxtera { file("/data/log/syslog/cyxtera/$HOST/$YEAR-$MONTH-$DAY-cyxtera.log" template("$(format-json --scope dot-nv-pairs)\n")); };

 

######################################

# Parser

######################################

 

parser p_json { json-parser (prefix(".json.")); };

 

######################################

# Log

######################################

 

log { source( s_cyxtera); parser(p_json); destination(d_cyxtera); };

 

options {

   flush_lines (0);

   time_reopen (10);

   log_fifo_size (1000);

   chain_hostnames (off);

   use_dns (no);

   use_fqdn (no);

   create_dirs (no);

   keep_hostname (yes);

   owner("usr01");

   group("usr01");

   dir-owner("user01");

   dir-group("user01");

   dir-perm(0755);

   perm(0755);

};

 

This is how the data is showing up in splunk. I had to clear some info but these are the main keys showing up. I have to expand _json: to get everything inside the key. I want it where I don’t have the _json and everything else shows as their individual key. Hope this makes sense. I know I’m using some of the wrong terminology.

 

 

Thank you,

 

Julio Garcia
Pro, Information Security Engineer
CoreLogic

Direct (949) 214-1284
Mobile (714) 474-5254
julgarcia@corelogic.com 

corelogic.com |  Blog 
LinkedIn  |  Twitter |  Facebook  |  Google+ 

Our Vision: Deliver unique property-level insights that power the global real estate economy

 

******************************************************************************************
This message may contain confidential or proprietary information intended only for the use of the
addressee(s) named above or may contain information that is legally privileged. If you are
not the intended addressee, or the person responsible for delivering it to the intended addressee,
you are hereby notified that reading, disseminating, distributing or copying this message is strictly
prohibited. If you have received this message by mistake, please immediately notify us by 
replying to the message and delete the original message and any copies immediately thereafter.

Thank you.
******************************************************************************************
CLLD