[syslog-ng] JSON Filter
Scot
scotrn at gmail.com
Tue Apr 3 15:39:01 UTC 2018
Sorry if I'm missing this but whats the best way to implement a json filter
like these in syslog-ng, Patterndb?
This is my logstash filter that sends data to a specific syslog-ng PORT for
each condition which may grow and become a management headache when there
are 6 logstash hosts that will need to support a filter for each breakout
needed.
I'd like to just send everything to a single syslog-ng port and have
syslog-ng do the logic. which would then become.
input {
beats {
port => 5044
}
}
output{
tcp {
host => "loghost"
port => "5140"
mode => "client"
codec => "json_lines"
}
}
*Logstash bloated output filters. *
output{
if [type]=="wineventlog" and "DC" in [tags] {
tcp {
host => "loghost"
port => "5142"
mode => "client"
codec => "json_lines"
}
} else if [type]=="wineventlog" and "PCI" in [tags] {
tcp {
host => "loghost"
port => "5141"
mode => "client"
codec => "json_lines"
}
} else if [type]=="wineventlog" {
tcp {
host => "loghost"
port => "5140"
mode => "client"
codec => "json_lines"
}
} else if [type]=="filebeat" and "apache" in [tags] {
tcp {
host => "loghost"
port => "5145"
mode => "client"
codec => "json_lines"
}
} else if [type]=="filebeat" and "PCI" in [tags] {
tcp {
host => "loghost"
port => "5144"
mode => "client"
codec => "json_lines"
}
} else if [type]=="filebeat" {
tcp {
host => "loghost"
port => "5143"
mode => "client"
codec => "json_lines"
}
} else {
file {
path => "/opt/syslog-ng/logs/logstash/%{host}-%{+YYYY-MM-dd}.json"
codec => "json_lines"
}
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180403/5e71fae8/attachment.html>
More information about the syslog-ng
mailing list