[syslog-ng] JSON Filter

Scheidler, Balázs balazs.scheidler at balabit.com
Tue Apr 3 18:27:50 UTC 2018 

You can parse json using the json-parser() and filter any json name value
pair simply with a filter expression.



On Apr 3, 2018 17:39, "Scot" <scotrn at gmail.com> wrote:

>
> Sorry if I'm missing this but whats the best way to implement a json
> filter like these in syslog-ng, Patterndb?
>
> This is my logstash filter that sends data to a specific syslog-ng PORT
> for each condition which may grow and become a management headache when
> there are 6 logstash hosts that will need to support a filter for each
> breakout needed.
>
> I'd like to just send everything to a single syslog-ng port and have
> syslog-ng do the logic. which would then become.
>
>
> input {
>   beats {
>     port => 5044
>   }
> }
>
> output{
>     tcp {
>     host => "loghost"
>     port => "5140"
>     mode => "client"
>     codec => "json_lines"
>     }
> }
>
>
> *Logstash bloated output filters.  *
>
> output{
>   if [type]=="wineventlog" and "DC" in [tags] {
>     tcp {
>     host => "loghost"
>     port => "5142"
>     mode => "client"
>     codec => "json_lines"
>     }
>   } else if [type]=="wineventlog" and "PCI" in [tags] {
>     tcp {
>     host => "loghost"
>     port => "5141"
>     mode => "client"
>     codec => "json_lines"
>     }
>   } else if [type]=="wineventlog" {
>     tcp {
>     host => "loghost"
>     port => "5140"
>     mode => "client"
>     codec => "json_lines"
>     }
>   } else if [type]=="filebeat" and "apache" in [tags] {
>     tcp {
>     host => "loghost"
>     port => "5145"
>     mode => "client"
>     codec => "json_lines"
>     }
>   } else if [type]=="filebeat" and "PCI" in [tags] {
>     tcp {
>     host => "loghost"
>     port => "5144"
>     mode => "client"
>     codec => "json_lines"
>     }
>   } else if [type]=="filebeat" {
>     tcp {
>     host => "loghost"
>     port => "5143"
>     mode => "client"
>     codec => "json_lines"
>     }
>  } else {
>     file {
>     path => "/opt/syslog-ng/logs/logstash/%{host}-%{+YYYY-MM-dd}.json"
>     codec => "json_lines"
>     }
> }
> }
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180403/254f632b/attachment.html>

More information about the syslog-ng mailing list