Receiving GLEF logs with syslog-ng

syslog-ng does not have an explicit handler for GLEF logs. However, we can use its JSON parsing capabilities to parse them.

parser p_json { json-parser(prefix(".json.")); };

source glef_source_tcp {
  tcp(
    port(515)
    flags(no-parse)
  );
};

destination log_file {
 file(
   "/var/log/glef.log"
   owner("root")
   group("LOG_ADMIN_GROUP")
   perm(0640)
   template("${.json._timestamp} ${.json._container_name} ${.json._message}\n")
 );
};

log {
 source(glef_source_tcp);
 parser(p_json);
 destination(log_file);
};