I'm currently playing around with a "minimal cee template" as per the notes here:
http://cee.mitre.org/docs/cls.html For my tests I'm using the following template: $template minimal_cee,"{\"Event\":{\"p_proc\":\"%programname%\",\"p_sys\":\"%hostname%\",\"time\":\"%timestamp%\"},\"Msg\":{\"raw_msg\":\"%rawmsg%\"}}\n" This works fine for simple tests, unless I log a message that includes quotes in the message payload: input: [bknox@arthur log_spew]$ logger "this is \"a test\"" output: {"Event":{"p_proc":"bknox","p_sys":"arthur","time":"Mar 14 14:37:04"},"Msg":{"raw_msg":"<13>Mar 14 14:37:04 bknox: this is "a test""}} This of course now will not parse as valid JSON. It would be great to have a property option ( http://www.rsyslog.com/doc/property_replacer.html ) that allowed escaping double quotes within a message property (unless there's another way of doing this that I'm missing). Brian _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
