Hello,
I know i'm using EFK and not ELK but i'm still trying maybe someone know how to do it with fluentd on this forum
I have the following syslog message :
"54:07+04:00 test-ls100.pi.com - - - - 1,2019/09/04 09:54:06,4645646546,USERID,login,5000,2019/09/04 09:54:06,vsys1,192.168.1.2,lst\\atest,ls220-test-LaPool,0,1,2700,0,0,agent,,37742033,0x0,0,0,0,0,,test-ls100,1,,2019/09/04 09:54:05,1,0x0,lst\\atest",syslog.local7.info
"59:47+04:00 test2-ls200.dbi.lan - - - - 1,2019/09/04 03:59:47,007000016266,SYSTEM,vpn,0,2019/09/04 03:59:47,,tunnel-status-up,IPSEC-Tunnel-microsoft,0,0,general,critical,\"Tunnel IPSEC-microsoft is up\",4685867,0x0,0,0,0,0,,test2-ls200",syslog.local7.crit
if i use the following config in fluentd :
> <source>
> type syslog
> port 5002
> tag syslog
> <parse>
> time_format
> rfc5424_time_format
> message_format auto
> </parse>
> </source>
I got this output with some parsed data like host :
+0400 syslog.local7.info: {"host":"test-ls100.pi.com","ident":"-","pid":"-","msgid":"-","extradata":"-","message":" 1,2019/09/04 10:23:57,5648688596,USERID,login,5000,2019/09/04 10:23:57,vsys1,192.168.1.2,b5\\sync,test-ls100.pi.com,0,1,2700,0,0,agent,,80706441,0x0,0,0,0,0,,test-ls100,1,,2019/09/04 10:23:53,1,0x0,b5\\sync"}
And the same parsed data with syslog.local7.crit with host etc..
What im trying to do is to parse the field message who contains all the info and put the differents info in different fields, for exemple get the info login or vpn who can also be logout or ssh or anything else like telnet and create a field action and put my info in it and i want to do it with my whole message field.
I know that fluentd has a guide to parse syslog messages but to be honest I'm a beginner and I can not understand how to use their instructions in my case :