syslogis that services have a wide range of log formats, and no single parser can parse all
/etc/rsyslogd.confand append the following line:
rsyslogdto forward logs to port 5140 to which Fluentd will listen.
/etc/td-agent/td-agent.confand put the following configuration:
sudomessage like this one:
sudo. In order to do so, we need to parse the message field. In other words, we need to extract
sudoand handle them differently.
grepfilter plugin. It examines the fields of events, and filter them based on regular expression patterns. In the following example, Fluentd filters out events that come from
sudoand contain command data:
syslogmessages. For this purpose, we use another plugin called
filter-parser. With this plugin, you can parse the content of a field using a regular expression.
syslogevents. You can immediately send data to the output systems like MongoDB and Elasticsearch, but also you can do filtering and further parsing inside Fluentd before passing the processed data onto the output destinations.