[syslog-ng] JSON Filter

Scot scotrn at gmail.com
Tue Apr 3 19:25:18 UTC 2018 

So then my log statement where I DON'T want duplicate copies would look
something like.


filter f_wineventlog_DC   { "${type} eq "wineventlog" and "${tag1} eq "DC"
};
filter f_wineventlog_PCI  { "${type} eq "wineventlog" and "${tag1} eq "PCI"
};

log { source(s_logstash);

     parser {json-parser();};

     filter { f_wineventlog_DC(); };

destination(d_wineventlog_DC);

     log { filter("example"); destination(d_file2); };

};





> output{
>>   if [type]=="wineventlog" and "DC" in [tags] {
>>     tcp {
>>     host => "loghost"
>>     port => "5142"
>>     mode => "client"
>>     codec => "json_lines"
>>     }
>>   } else if [type]=="wineventlog" and "PCI" in [tags] {
>>     tcp {
>>     host => "loghost"
>>     port => "5141"
>>     mode => "client"
>>     codec => "json_lines"
>>     }
>>   } else if [type]=="wineventlog" {
>>     tcp {
>>     host => "loghost"
>>     port => "5140"
>>     mode => "client"
>>     codec => "json_lines"
>>     }
>>   } else if [type]=="filebeat" and "apache" in [tags] {
>>     tcp {
>>     host => "loghost"
>>     port => "5145"
>>     mode => "client"
>>     codec => "json_lines"
>>     }
>>   } else if [type]=="filebeat" and "PCI" in [tags] {
>>     tcp {
>>     host => "loghost"
>>     port => "5144"
>>     mode => "client"
>>     codec => "json_lines"
>>     }
>>   } else if [type]=="filebeat" {
>>     tcp {
>>     host => "loghost"
>>     port => "5143"
>>     mode => "client"
>>     codec => "json_lines"
>>     }
>>  } else {
>>     file {
>>     path => "/opt/syslog-ng/logs/logstash/%{host}-%{+YYYY-MM-dd}.json"
>>     codec => "json_lines"
>>     }
>> }
>> }
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180403/1a7c335d/attachment-0001.html>

More information about the syslog-ng mailing list