How to parse JSON logs to syslog format?
Tags:
#1
cbitterfield
nxlog-ce-2.9.1716
Ubuntu 16.04 LTS (OS)
I am trying to parse JSON to SYSLOG
There are two issues.
1. the NoCache TRUE does not seem to work. (I also tried SavePOS false) and it always caches the file.
2. When I do get it to work; it uses the localhost (which is not where the logs are from) and the time/date stamp from the JSON file (but no other data is there).
Is there an example of parsing JSON to _syslog_bsd()? for forwarding to a SEIM
```
#######################################
# Global directives #
########################################
User nxlog
Group nxlog
LogFile /var/log/nxlog/nxlog.log
LogLevel DEBUG
NoCache TRUE
########################################
# Modules #
########################################
Module xm_json
Module xm_syslog
SavePos FALSE
Module im_file
File '/tmp/json/*.json'
Exec $Message = to_json(); to_syslog_bsd();
Module om_file
File "/var/log/nxlog/syslog.log"
Exec to_syslog_bsd();
########################################
# Routes #
########################################
Path in => fileout1
```
resulting output is
```
Feb 16 02:43:14 [redacted hostname] {"EventReceivedTime":"2018-02-16 02:43:14","SourceModuleName":"in","SourceModuleType":"im_file"}
```
Date is localtime for the conversion
Source JSON is OKTA logs
Ubuntu 16.04 LTS (OS)
I am trying to parse JSON to SYSLOG
There are two issues.
1. the NoCache TRUE does not seem to work. (I also tried SavePOS false) and it always caches the file.
2. When I do get it to work; it uses the localhost (which is not where the logs are from) and the time/date stamp from the JSON file (but no other data is there).
Is there an example of parsing JSON to _syslog_bsd()? for forwarding to a SEIM
```
#######################################
# Global directives #
########################################
User nxlog
Group nxlog
LogFile /var/log/nxlog/nxlog.log
LogLevel DEBUG
NoCache TRUE
########################################
# Modules #
########################################
Module xm_json
Module xm_syslog
SavePos FALSE
Module im_file
File '/tmp/json/*.json'
Exec $Message = to_json(); to_syslog_bsd();
Module om_file
File "/var/log/nxlog/syslog.log"
Exec to_syslog_bsd();
########################################
# Routes #
########################################
Path in => fileout1
```
resulting output is
```
Feb 16 02:43:14 [redacted hostname] {"EventReceivedTime":"2018-02-16 02:43:14","SourceModuleName":"in","SourceModuleType":"im_file"}
```
Date is localtime for the conversion
Source JSON is OKTA logs
#1
cbitterfield
nxlog-ce-2.9.1716
Ubuntu 16.04 LTS (OS)
I am trying to parse JSON to SYSLOG
There are two issues.
1. the NoCache TRUE does not seem to work. (I also tried SavePOS false) and it always caches the file.
2. When I do get it to work; it uses the localhost (which is not where the logs are from) and the time/date stamp from the JSON file (but no other data is there).
Is there an example of parsing JSON to _syslog_bsd()? for forwarding to a SEIM
```
#######################################
# Global directives #
########################################
User nxlog
Group nxlog
LogFile /var/log/nxlog/nxlog.log
LogLevel DEBUG
NoCache TRUE
########################################
# Modules #
########################################
Module xm_json
Module xm_syslog
SavePos FALSE
Module im_file
File '/tmp/json/*.json'
Exec $Message = to_json(); to_syslog_bsd();
Module om_file
File "/var/log/nxlog/syslog.log"
Exec to_syslog_bsd();
########################################
# Routes #
########################################
Path in => fileout1
```
resulting output is
```
Feb 16 02:43:14 [redacted hostname] {"EventReceivedTime":"2018-02-16 02:43:14","SourceModuleName":"in","SourceModuleType":"im_file"}
```
Date is localtime for the conversion
Source JSON is OKTA logs
You should not need to convert it to json if it is already json, so the below should work:
File '/tmp/json/*.json'
Exec to_syslog_bsd();
If you are interested we have an NXLog EE add-on for Okta.
