Logstash - Use case to use syslog

Hi all

I have a simple logastash.conf at the moment. I receive from winlogbeat and I store information in the Elasticsearch.

Now I'd like to add a new output to syslog. I'd like to send only the log of the administrator users to syslog.

How could implement this? I think the following 2 solutions

  1. Winlogbeat send information with the field that show the administrators users (at the moment I don't found a solution for this; I see the processor but it isn't possible to use a script to do discover of administrator of the system)
  2. Logstash receives information from winlogbeat and for any user check if the user is administrator of the system with a script code(I see that in logstash there is the ruby code that I could use)

Do you have other suggestion?

Thank you


You can define many parameters there.

! It is necessary install this plugin to logstash !

/usr/share/logstash/bin/logstash-plugin install logstash-output-syslog

Very useful staff in logstash is @metadata field. You can add field based on some condition.. this @metadata field will not be stored to a document. But you can use this field in conditions in output section in logstash.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.