[syslog-ng] Convert logstash filters to syslog-ng

Dwijadas Dey dwijad at gmail.com
Mon Apr 24 17:40:43 UTC 2017


Hi
    Martinez
                  You need to install syslog-ng first. Then create
configuration file for your linux and BSD machines inside
/etc/syslog-ng/conf.d

Say you have configured one linux machine that forwards logs to this
centralized syslog-ng server then you can use following configuration so
that logs gets transferred to kibana.

Forwarder (Linux machine) -> Syslog-ng ( Centralize log collector) ->
Elastic search -> Kibana

One such example can be like.

# vi /etc/syslog-ng/conf.d/remote-linux-1.conf

source s_2514 { tcp(port(2514)); };

# Assuming remote linux machine forwarding logs to syslog-ng server's tcp
port 2514.

destination d_remote_linux1 { tcp("127.0.0.1" port(9200)
template("$(format-json --scope selected_macros --scope nv_pairs)\n")); };

# Change the above IP -> 127.0.0.1 to your elastic server's IP

filter f_remote_linux1 {  '' your filter " ; };

# Apply whatever filter you want, you can use multiple filters as well.

log {

         source(s_2514);

         filter(f_remote_linux1);

         destination(d_remote_linux1);

    };
To use GeoIP in the above configuration, check this
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/geoip-parser.html

I am not expert on ELK, so from elasticsearch to kibana, you need to find
out - how it should be.

Regards

Dwijadas Dey




On Mon, Apr 24, 2017 at 7:12 PM, C. L. Martinez <carlopmart at gmail.com>
wrote:

> Hi all,
>
>  I would like to drop Logstash collector from our ELK infrastructure and
> use syslog-ng instead. This ELK infrastructure collects, report and show
> dashboards about security devices: firewalls, anti-spam devices, etc.
>
>  Most of these logs arrives from rsyslog collectors (deployed in several
> linux and BSD machines). I have seen in Balabit's blog page how this could
> be done: https://www.balabit.com/blog/how-to-parse-data-with-syslog-
> ng-store-in-elasticsearch-and-analyze-with-kibana/ and
> https://www.balabit.com/blog/collecting-and-parsing-
> suricata-logs-using-syslog-ng/.
>
>  The most important point here is to test all configured logstash filters
> inside syslog-ng: GeoIP patterns, some substitution params, etc. Any tips
> or tricks to accomplish this type of change?
>
> Many thanks.
>
> --
> Greetings,
> C. L. Martinez
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170424/a64fe36c/attachment.html>


More information about the syslog-ng mailing list