in a filter section do:
grok {
match = { message = %{SYSLOGBASE} %{DATA:message} }
}
json {
source = message
}
I'm not saying to go to rsyslog to then go to logstash, I'm saying go to rsyslog
to go to ElasticSearch. There is no requirement to use logstash to get
On Tue, 26 May 2015, T-SOC Operations wrote:
Sorry, bloody germans ;-)
-someone sharing their logstash 1.5.0 ossec grok filter (ossec.log +
alerts.log, also the permission challenges on those files)
-clean json formatted events from ossec to logstash input handler
I thought the ossec json