syslog-ng | enhanced log daemon , supporting a wide range | Pub Sub library

Tried with specific package and its able to install.

You have multiple options here, one of them is writing your own parser in Python.

Parsers usually produce new name-value pairs. The connection between add-contextual-data() and your parser would be the key you specify in selector().

LogMessage fields are bytes objects in Python 3, so they have to be decoded into strings before transforming them (for example: log_message['.json.vpnrd'].decode("utf-8")).

syslogng.Logger logs into the internal() source.

xxx:yyy:zzz seems to be a fixed length, so you can just remove the unnecessary parts (no custom parser is required):

You can set the default-selector("UNKNOWN") option for add-contextual-data(), and add a record to your CSV file with the ID UNKNOWN, and use the following value when setting .meta_router.hostname: ${.json.router_ip}.

TLDR: templates are supported inside the CSV file as well.

Note: In case your IPs are reverse-resolvable, you can just use the $(dns-resolve-ip) template function instead of maintaining a complete CSV database:

https://github.com/syslog-ng/syslog-ng/pull/3046

If your intention is to ignore all toplevel elements by default, and whitelist some of them, replace * with /* :

Problem solved.

It relied on the order in which the operations were performed. Lgrotate does a 'postrotate' section before compressing to .gz. The solution to the problem was to change the name from 'postrotate' to 'lastaction'.

For posterity the best way to do this is to use the logstash plugin. There is an option to export elastic data, TCP data and also the ability to send to syslog.

requires a network source that needs to be specified in the syslog-ng configuration, for example:

source { network(port(514)); };

Alternatively, default-network-drivers() can be used, which sets good defaults (TCP/UDP 514 and 601):

You can check the exact error message in the journal logs, as it is suggested by systemctl:

See "systemctl status syslog-ng.service" and "journalctl -xe" for details.

Alternatively, you can start syslog-ng in the foreground:

$ syslog-ng -F --stderr

You probably have a persist-name collision due to the matching elasticsearch-http() URLs. Please try adding the persist-name() option with 2 unique names, for example:

The mongodb() destination currently does not support macros in its collection() option. You can open a feature request on GitHub, if you want to see that in a future release.

Your second example, however, should work as expected. In case ${YEAR}.${MONTH}.${DAY} directories do not exist, you should add the create-dirs(yes) option as well.