Syslog-ng Syslog Format to JSON Format are there pre-requisite?

Question

My first time posting to Stack Overflow. I apologize if I am re-asking a question. I tried to search but nothing is really clear about what I'm trying to understand.

Do I need to configure additional parameters within Syslog-ng to allow the format-JSON Template to convert standard Syslog format into JSON?

Environment: I have Varonis logs being forwarded to my Linux (Centos 8) server, running Syslog-ng. The logs are are being received in the following format:

"|timestamp| |Server Host| |Rule ID| |Rule Name| |Rule Storyline| |Rule Description| |Alert Time| |Event Time| |Acting Object|"

To reiterate my question, Do I need to manually create key-value pairs and then call the format-JSON() function, or does the format-JSON() function do the work for me?

Answer 1

the short answer is: yes.

The long one:

You can use the format-json template function to output the name-value pairs of a message in json format. By default, these name-value pairs contain the standard parts of a syslog message, like DATE, HOST, and MESSAGE, where the MESSAGE contains the textual part of the message as a string. syslog-ng has several parsers that can turn the MESSAGE part into name-value pairs.

A quick googling says that your varonis logs are in a CEF or LEEF format. AFAIK syslog-ng doesn't have a parser for these formats out of the box. I'm not familiar with these formats, but if they always contain the same fields, then you can probably parse it with a well-aimed csv-parser() that uses a string delimiter. If the format is more complicated than that, then I'd suggest reaching out to the syslog-ng developers for help on their discord channel at the bottom of the page.

A note about the links in this reply: the docs I've linked mention axosyslog, which is a syslog-ng distribution, their docs covers classic syslog-ng as well.