How to parse JSON logs to syslog format?

Post a different question
1
response

nxlog-ce-2.9.1716 Ubuntu 16.04 LTS (OS)

I am trying to parse JSON to SYSLOG

There are two issues. 1. the NoCache TRUE does not seem to work. (I also tried SavePOS false) and it always caches the file.

  1. When I do get it to work; it uses the localhost (which is not where the logs are from) and the time/date stamp from the JSON file (but no other data is there).

Is there an example of parsing JSON to _syslog_bsd()? for forwarding to a SEIM

#######################################
# Global directives                    #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel DEBUG
NoCache TRUE

########################################
# Modules                              #
########################################
<Extension _json>
    Module  xm_json
</Extension>

<Extension syslog>
        Module xm_syslog
</Extension>

<Input in>
    SavePos     FALSE
    Module  im_file
    File    '/tmp/json/*.json'
    Exec $Message = to_json(); to_syslog_bsd();
</Input>

<Output fileout1>
    Module      om_file
    File        "/var/log/nxlog/syslog.log"
    Exec        to_syslog_bsd();
</Output>


########################################
# Routes                               #
########################################
<Route 1>
    Path        in => fileout1
</Route>

resulting output is

<13>Feb 16 02:43:14 [redacted hostname] {"EventReceivedTime":"2018-02-16 02:43:14","SourceModuleName":"in","SourceModuleType":"im_file"}

Date is localtime for the conversion

Source JSON is OKTA logs

AskedFebruary 16, 2018 - 4:06am

Answer (1)

You should not need to convert it to json if it is already json, so the below should work:

    File    '/tmp/json/*.json'
    Exec  to_syslog_bsd();

If you are interested we have an NXLog EE add-on for Okta.

AnsweredFebruary 16, 2018 - 10:09pm