TL;DR: what's the recommended way of converting logs to a common (e.g. GELF) format?

I'm using NXLog together with Logstash and EalsticSearch. I'm collecting logs from Windows, NXLogs (internal) and my app logs using line based JSON.

Windows logs and NXLogs seem to share a lot of field names. I can write my app so that it uses the same fields. This greatly facilitates viewing data in elasticsearch. I could stick with windows fields or convert them all to GELF. AFAIK, the convertion from Windows Logs to GELF seems seems to require a lot of per-field convertion work. There is a good chance I won't get it right until enough data is produced.

I was looking for a convert_to_gelf() function which would take care of converting Windows Logs, Internal logs, IIS, etc to GELF. Is there such thing? Is manual conversion my only option?

AskedApril 12, 2015 - 3:16pm

Answer (1)

There is an xm_gelf module which provides an output formatter for GELF.

For UDP:

<Output out>
    Module      om_udp
    Port        12201
    OutputType  GELF_UDP

For TCP:

<Output out>
    Module      om_tcp
    Port        12201
    OutputType  GELF_TCP

See the reference manual for more information.

The only reason why these are implemented this way is because GELF for TCP is very recent and GELF_UDP uses a zlib compressed format. This is a binary payload which cannot be produced with a function like to_gelf() if that was available.

If you are not using Graylog, I'm not sure what the point is in using GELF since NXLog already produces a set of fields that are normalized to a common name in all modules (if possible). You can simply use xm_json and call to_json().