Does anyone know how I can keep the data fields that I've converted to JSON
out of the structured data element of syslog_ietf?
I'm currently outputting data like this:
Exec $Message = to_json(); to_syslog_ietf(); $raw_event =
replace($raw_event, 'NXLOG@14506', '%CUSTOMER_TOKEN%@41058 tag="windows"]
[', 1);
which gives me output like the below, note how the fields are supplied
twice once in the [FieldName="X" FieldName="Y"] format and once in the {
FieldName: "X", FieldName: "Y" } format? The consumer (Loggly) at the other
end requires structured data in JSON, but I just want to avoid doubling the
size of our logs unnecessarily!
Any ideas? Many thanks
<14>1 2013-09-09T17:15:50.507658+00:00 fa-testdevelop
Microsoft-Windows-WMI-Activity 12260 -
[a3c50c76-0fc1-412e-a10f-efe6e7b6e09f@41058 tag="windows"] [
Keywords="4611686018427387904" EventType="INFO" EventID="5857"
ProviderGuid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" Version="0" Task="0"
OpcodeValue="0" RecordNumber="15145" ThreadID="5592"
Channel="Microsoft-Windows-WMI-Activity/Operational" Domain="NT AUTHORITY"
AccountName="NETWORK SERVICE" UserID="NETWORK SERVICE" AccountType="Well
Known Group" Opcode="Info" EventReceivedTime="2013-09-09 17:15:51"
SourceModuleName="eventlog" SourceModuleType="im_msvistalog"]
{"EventTime":"2013-09-09
17:15:50","Hostname":"fa-testdevelop","Keywords":4611686018427387904,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5857,"SourceName":"Microsoft-Windows-WMI-Activity","ProviderGuid":"{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":15145,"ProcessID":12260,"ThreadID":5592,"Channel":"Microsoft-Windows-WMI-Activity/Operational","Domain":"NT
AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"NETWORK
SERVICE","AccountType":"Well Known
Group","Message":"Win32_WIN32_TERMINALSERVICE_Prov provider started with
result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 12260;
ProviderPath =
%SystemRoot%\\system32\\tscfgwmi.dll","Opcode":"Info","EventReceivedTime":"2013-09-09
17:15:51","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
