Logstash - Use case to use syslog

franco.federico · June 17, 2019, 12:08pm

Hi all

I have a simple logastash.conf at the moment. I receive from winlogbeat and I store information in the Elasticsearch.

Now I'd like to add a new output to syslog. I'd like to send only the log of the administrator users to syslog.

How could implement this? I think the following 2 solutions

Winlogbeat send information with the field that show the administrators users (at the moment I don't found a solution for this; I see the processor but it isn't possible to use a script to do discover of administrator of the system)
Logstash receives information from winlogbeat and for any user check if the user is administrator of the system with a script code(I see that in logstash there is the ruby code that I could use)

Do you have other suggestion?

Thank you
Franco

vasek · June 17, 2019, 12:14pm

Simply try LOGSTASH OUTPUT PLUGIN
https://www.elastic.co/guide/en/logstash/current/plugins-outputs-syslog.html

You can define many parameters there.

! It is necessary install this plugin to logstash !

/usr/share/logstash/bin/logstash-plugin install logstash-output-syslog

vasek · June 17, 2019, 12:17pm

Very useful staff in logstash is @metadata field. You can add field based on some condition.. this @metadata field will not be stored to a document. But you can use this field in conditions in output section in logstash.

system · July 15, 2019, 12:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.