[syslog-ng] JSON Filter
Scot
scotrn at gmail.com
Tue Apr 3 19:36:48 UTC 2018
Sent before it's time.
So then my log statement where I DON'T want duplicate copies would look
something like this ?
filter f_wineventlog_DC { "${type} eq "wineventlog" and "${tag1} eq "DC"
};
filter f_wineventlog_PCI { "${type} eq "wineventlog" and "${tag1} eq "PCI"
};
filter f_wineventlog { "${type} eq "wineventlog" };
log {
source(s_logstash);
parser {json-parser();};
filter(f_wineventlog_DC); destination(d_file1);
log { filter(f_wineventlog_PCI); destination(d_file2); };
log { filter(f_wineventlog); destination(d_file3); };
};
On Tue, Apr 3, 2018 at 3:25 PM, Scot <scotrn at gmail.com> wrote:
>
> So then my log statement where I DON'T want duplicate copies would look
> something like.
>
>
> filter f_wineventlog_DC { "${type} eq "wineventlog" and "${tag1} eq "DC"
> };
> filter f_wineventlog_PCI { "${type} eq "wineventlog" and "${tag1} eq
> "PCI" };
>
> log { source(s_logstash);
>
> parser {json-parser();};
>
> filter { f_wineventlog_DC(); };
>
> destination(d_wineventlog_DC);
>
> log { filter("example"); destination(d_file2); };
>
> };
>
>
>
>
>
>> output{
>>> if [type]=="wineventlog" and "DC" in [tags] {
>>> tcp {
>>> host => "loghost"
>>> port => "5142"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else if [type]=="wineventlog" and "PCI" in [tags] {
>>> tcp {
>>> host => "loghost"
>>> port => "5141"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else if [type]=="wineventlog" {
>>> tcp {
>>> host => "loghost"
>>> port => "5140"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else if [type]=="filebeat" and "apache" in [tags] {
>>> tcp {
>>> host => "loghost"
>>> port => "5145"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else if [type]=="filebeat" and "PCI" in [tags] {
>>> tcp {
>>> host => "loghost"
>>> port => "5144"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else if [type]=="filebeat" {
>>> tcp {
>>> host => "loghost"
>>> port => "5143"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else {
>>> file {
>>> path => "/opt/syslog-ng/logs/logstash/%{host}-%{+YYYY-MM-dd}.json"
>>> codec => "json_lines"
>>> }
>>> }
>>> }
>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180403/6f3f4641/attachment.html>
More information about the syslog-ng
mailing list