[syslog-ng] JSON Filter
Balazs Scheidler
bazsi77 at gmail.com
Wed Apr 4 07:09:20 UTC 2018
If you add flags(final) to each of the log statements you wont get
duplication.
Also, master already has support for the if statement, that should be
released in 3.15.
if ("$type" = "DC") {
destination { file(...); };
} elif (...) {
...
} else {
};
Thats more readable and achieves roughly the same.
On Apr 3, 2018 21:25, "Scot" <scotrn at gmail.com> wrote:
>
> So then my log statement where I DON'T want duplicate copies would look
> something like.
>
>
> filter f_wineventlog_DC { "${type} eq "wineventlog" and "${tag1} eq "DC"
> };
> filter f_wineventlog_PCI { "${type} eq "wineventlog" and "${tag1} eq
> "PCI" };
>
> log { source(s_logstash);
>
> parser {json-parser();};
>
> filter { f_wineventlog_DC(); };
>
> destination(d_wineventlog_DC);
>
> log { filter("example"); destination(d_file2); };
>
> };
>
>
>
>
>
>> output{
>>> if [type]=="wineventlog" and "DC" in [tags] {
>>> tcp {
>>> host => "loghost"
>>> port => "5142"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else if [type]=="wineventlog" and "PCI" in [tags] {
>>> tcp {
>>> host => "loghost"
>>> port => "5141"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else if [type]=="wineventlog" {
>>> tcp {
>>> host => "loghost"
>>> port => "5140"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else if [type]=="filebeat" and "apache" in [tags] {
>>> tcp {
>>> host => "loghost"
>>> port => "5145"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else if [type]=="filebeat" and "PCI" in [tags] {
>>> tcp {
>>> host => "loghost"
>>> port => "5144"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else if [type]=="filebeat" {
>>> tcp {
>>> host => "loghost"
>>> port => "5143"
>>> mode => "client"
>>> codec => "json_lines"
>>> }
>>> } else {
>>> file {
>>> path => "/opt/syslog-ng/logs/logstash/%{host}-%{+YYYY-MM-dd}.json"
>>> codec => "json_lines"
>>> }
>>> }
>>> }
>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180404/b943bcfb/attachment-0001.html>
More information about the syslog-ng
mailing list