I am building a logging pipeline and there is a syslog collector that is depositing raw syslog messages into a Kafka topic. I would usually accept syslog off the wire by using the Logstash syslog
input plugin which handles the parsing of the syslog header very nicely. But in this instance, my input is now a Kafka topic, and therefore I am finding it difficult to process the events as syslog messages as the syslog
input plugin only accepts events from a network port. Is there such a thing as a syslog
filter plugin, or codec?
Example raw syslog message as stored in Kafka.
<14>Nov 3 16:42:05 CX-PaloHE01.acme.com 1,2020/11/03 16:42:04,013222003452,TRAFFIC,end,2304,2020/11/03 16:42:04,10.170.3.113,217.58.197.68,8.37.68.200,217.58.197.68,GlobalProtect-Internet-Access,prod\tomar,,quic,vsys2,Prod-GlobalProtect,Prod-L3-inet,tunnel.9998,ethernet1/8.666,SIEM-Syslog,2020/11/03 16:42:04,2593114,1,65111,443,31573,443,0x400050,udp,allow,2863,1467,1396,3,2020/11/03 16:40:02,0,any,0,6854539165046534753,0x0,10.0.0.0-10.255.255.255,United States,0,2,1,aged-out,171,0,0,0,Production,CX-PaloHE01,from-policy,,,0,,0,,N/A,0,0,0,0,bfc04636-c4f2-43ef-a25d-9f93fe9a04b3,0