Skip to content

Instantly share code, notes, and snippets.

@devynspencer

devynspencer/logstash-json.conf

Forked from untergeek/logstash-json.conf
Last active May 10, 2023 15:10
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save devynspencer/a421d1c6184f0c69ff99 to your computer and use it in GitHub Desktop.
Save devynspencer/a421d1c6184f0c69ff99 to your computer and use it in GitHub Desktop.
Download ZIP
JSON rsyslog output for Logstash
Raw
logstash-json.conf
template(name="ls_json" type="list" option.json="on") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"@version\":\"1")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"programname\":\"") property(name="programname")
constant(value="\",\"procid\":\"") property(name="procid")
constant(value="\"}\n")
}
Raw
logstash.conf
input {
udp {
port => 10514
codec => "json"
type => "syslog"
}
}
filter {
# This replaces the host field (UDP source) with the host that generated the message (sysloghost)
if [sysloghost] {
mutate {
replace => [ "host", "%{sysloghost}" ]
remove_field => "sysloghost" # prune the field after successfully replacing "host"
}
}
}
output {
# whatever
}
Raw
rsyslog.conf
# Other config goes above here...
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Set the target host here by replacing 127.0.0.1
*.* @127.0.0.1:10514;ls_json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment