Add tracking log intelligence to ELK

playbooks/roles/logstash/templates/logstash.conf.j2

@@ -20,6 +20,16 @@ filter {
     date {
       match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
     }
+    # Try and parse the tracking log json
+    # 142 is syslog facility 17 (local1) and Informational.
+    # This is used to reduce the number of errors in json parsing as
+    # tracking uses that facility and priority by default.
+    if "142" in [syslog_pri] {
+      json {
+        source => "syslog_message"
+        target => "tracking"
+      }
+    }
     if !("_grokparsefailure" in [tags]) {
       mutate {
         replace => [ "@source_host", "%{syslog_hostname}" ]