[syslog-ng] Cyxtera json file and syslog-ng

Thu Dec 20 18:46:51 UTC 2018

Hi, I’m currently sending Cyxtera json logs to our syslog-ng server via syslog-ng but for some reason I’m not able to get all of the data to parse out correctly. It’s being parsed out with _json. I was at some point able to get the message in json form but all the data was within a MESSAGE bracket.

This is where I’m at now. Looks like it parses correctly but it’s all under _json. Is there a way to remove that and keep everything else?

This is what my syslog-ng looks like.

@version:3.14
@include "scl.conf"

# syslog-ng configuration file.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/

######################################
#Sources
######################################

source s_cyxtera {
tcp(port(51404) flags(no-parse));
};

######################################
#Destinations
######################################

destination d_cyxtera { file("/data/log/syslog/cyxtera/$HOST/$YEAR-$MONTH-$DAY-cyxtera.log" template("$(format-json --scope dot-nv-pairs)\n")); };

######################################
# Parser
######################################

parser p_json { json-parser (prefix(".json.")); };

######################################
# Log
######################################

log { source( s_cyxtera); parser(p_json); destination(d_cyxtera); };

options {
   flush_lines (0);
   time_reopen (10);
   log_fifo_size (1000);
   chain_hostnames (off);
   use_dns (no);
   use_fqdn (no);
   create_dirs (no);
   keep_hostname (yes);
   owner("usr01");
   group("usr01");
   dir-owner("user01");
   dir-group("user01");
   dir-perm(0755);
   perm(0755);
};

This is how the data is showing up in splunk. I had to clear some info but these are the main keys showing up. I have to expand _json: to get everything inside the key. I want it where I don’t have the _json and everything else shows as their individual key. Hope this makes sense. I know I’m using some of the wrong terminology.

[cid:image001.png at 01D49851.505CD0E0]

Thank you,

Julio Garcia
Pro, Information Security Engineer
CoreLogic

Direct (949) 214-1284
Mobile (714) 474-5254
julgarcia at corelogic.com<mailto:julgarcia at corelogic.com>

corelogic.com<http://www.corelogic.com/> |  Blog<http://www.corelogic.com/blog/default.aspx>
LinkedIn<http://www.linkedin.com/company/corelogic>  |  Twitter<http://twitter.com/corelogicinc> |  Facebook<http://www.facebook.com/CoreLogic>  |  Google+<https://plus.google.com/114618839782139347829>

Our Vision: Deliver unique property-level insights that power the global real estate economy

****************************************************************************************** 
This message may contain confidential or proprietary information intended only for the use of the 
addressee(s) named above or may contain information that is legally privileged. If you are 
not the intended addressee, or the person responsible for delivering it to the intended addressee, 
you are hereby notified that reading, disseminating, distributing or copying this message is strictly 
prohibited. If you have received this message by mistake, please immediately notify us by  
replying to the message and delete the original message and any copies immediately thereafter. 

Thank you. 
****************************************************************************************** 
CLLD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20181220/42f70029/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 77302 bytes
Desc: image001.png
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20181220/42f70029/attachment-0001.png>