Hello rsyslog-users,
I really like the idea of imuxsock's trusted properties and structured
logging.
However, when using both features lets users override the trusted
properties.
I guess It's because the JSON parsing takes place after the trusted
properties parsing.
Here is my configuration :
$ModLoad imuxsock
$SystemLogUsePIDFromSystem on
$SystemLogSocketAnnotate on
$SystemLogParseTrusted on
module(load="mmjsonparse")
*.* :mmjsonparse:
if $parsesuccess == "FAIL" then set $!msg = $msg;
template(name="cee" type="string" string="%$!all-json%\n")
action(type="omusrmsg" users="*" template="cee")
Results:
- logger foo
=> { "pid": 15385, "uid": 0, "gid": 0, "exe": "\/usr\/bin\/logger", "cmd":
"logger foo ", "msg": " foo" }
- logger '@cee: {"exe":"/bin/ls","cmd":"ls","pid":42,"gid":42,"uid":42}'
=> { "exe": "\/bin\/ls", "cmd": "ls", "pid": 42, "gid": 42, "uid": 42 }
Is there a way to make mmjsonparse parses the CEE payload before parsing
the trusted properties ? (making the trusted properties override user
fields)
Alternatively, is there a way to make mmjsonparse put user data in a
subtree ?
Thanks!
Philippe
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
