Hello,

I have a working Logstash server collecting logs from Windows hosts with the nxlog agent (sending json format).

The Logstash server is taking the Windows agent logs and forwarding them to two destinations, and overall it's working fine.

The problem is, one of the destinations (HostA as shown below) does not understand json format, so I would like to have Logstash convert the output for that particular destination to basic Syslog format. I am using the syslog output module, but they are still receiving events in json format and cannot use it.

Any suggestions would be much appreciated.

My configuration is copied below.

input {

NXLOG input from Windows hosts

tcp {
port => 5140
}
}

Filter

filter{}

Output to Legacy log collector

output {
syslog {
facility => local6
host => "HostA"
port => 514
severity => informational
rfc => rfc5424
}
}

Output to new log collector

output {
lumberjack {
hosts => "HostB"
port => 9010
ssl_certificate => "/etc/cert.crt"
codec => "json"
}
}

So you're receiving serialized JSON via TCP and you want to ship it via Lumberjack except for HostA where you want to use syslog? The problem is that you're never deserializing the JSON string you receive, so the plaintext message the syslog output sees is a JSON string.

Try using a json codec for your tcp input so that you get the fields inside the JSON object extracted into discrete fields. By default the message field will form the message part of the syslog message but you can change that with the syslog output's message option.