Bonsoir @YannM5
Voici comment j'ai procédé pour convertir un message syslog en gelf sur discovery.logs.ovh.com avec la dernière version de logstash:
mkdir logstash-gelf
cd logstash-gelf
vim Dockerfile
Écrire:
FROM docker.elastic.co/logstash/logstash-oss:6.0.1
EXPOSE 5000
COPY logstash.conf /usr/share/logstash/pipeline/logstash.conf
COPY logstash.yml /usr/share/logstash/config/logstash.yml
RUN bin/logstash-plugin install logstash-output-gelf
Éditer logstash.conf, en remplaçant XXXXXXX par votre token de flux.
input {
tcp {
port => 5000
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
gelf {
host => "discover.logs.ovh.com"
port => 2202
protocol => "TCP"
custom_fields => ['X-OVH-TOKEN', 'XXXXXXXXXXXx']
}
}
Editer logstash.yml
http.host: "0.0.0.0"
path.config: /usr/share/logstash/pipeline
Créer l'image docker puis la lancer:
docker build -t gelf .
docker run --rm -p 5000:5000 gelf
Tester comme suit:
echo '<118> Apr 18 16:32:58 10.0.1.11 QAUDJRN: [AF@0 event="AF-Authority failure" violation="A-Not authorized to object" actual_type="AF-A" jrn_seq="1001363" timestamp="20120418163258988000" job_name="QPADEV000B" user_name="TESTFORAF" job_number="256937" err_user="TESTFORAF" ip_addr="10.0.1.23" port="55875" action="Undefined(x00)" val_job="QPADEV000B" val_user="TESTFORAF" val_jobno="256937" object="AFTEST" object_library="CUS9242" object_type="*FILE" pgm_name="" pgm_libr="" workstation=""]' | nc -v -w 0 localhost 5000
Et observez le résultat sur Graylog:
Cordialement,