On 04/22/2013 12:32 AM, Radu Gheorghe wrote:
2013/4/22 Erik Steffl <[email protected]>
On 04/19/2013 09:39 PM, David Lang wrote:
On Fri, 19 Apr 2013, Erik Steffl wrote:
Trying to figure out how to use JSON when logging using rsyslog.
Would like to have both incoming and outgoing messages be in JSON.
It seems that incoming messages should be CEE messages, something
like @cee:{"f:":"1", "msg":"some text"}
For outgoing message there would be a template defined that uses
$!all-json (parsed incoming message) and is in JSON format.
As far as I can tell I need the mmjsonparse module.
Is there a good example/explanation somewhere for a similar scenario?
I see the above terms used in number of places I found on the net but
they are very fragmented and lot of them seem to be outdated.
Example config I came up with:
module(load="mmjsonparse")
$template text, "{\"message\":\"%msg%\"}\n"
$template json, "{\"message\":\"%$!all-json%\"**}\n"
local0.* mmjsonparse
& /var/log/erikTest.log;json
& /var/log/erikTest.log;text
& ~
Testing using: logger --priority local0.notice --id '@cee:{"f:":"1",
"msg":"some text"}'
Result (in /var/log/erikTest.log):
{"message":"**INVALID PROPERTY NAME**$!all-json**INVALID PROPERTY
NAME**"}
{"message":" @cee:{"f:":"1", "msg":"some text"}"}
This is on Ubuntu 12.10 using Ubuntu rsyslog 5.8.6-1ubuntu9.1
Is this too old for $!all-json? Am I using it incorrectly?
Help/pointers appreciated on how to solve this, how to troubleshoot etc.
Yes, 5.x is _way_ too old for JSON, you need to be using a 7.x version,
and I would _strongly_ recommend using the latest development right now.
The change rate recently has been very high.
what's a preferred way to get v7 (in ubuntu)? I see that there are:
-
http://www.rsyslog.com/ubuntu-**repository/<http://www.rsyslog.com/ubuntu-repository/>(says
it's experimental)
-
https://launchpad.net/~**tmortensen/+archive/rsyslogv7<https://launchpad.net/~tmortensen/+archive/rsyslogv7>
-
https://launchpad.net/~**gchinis/+archive/rsyslog7<https://launchpad.net/~gchinis/+archive/rsyslog7>(looks
like subset of the previous one but slightly different versions)
- just download/compile?
If you're testing, get the experimental one from the rsyslog repository.
See if it works for you: if you have issues, report them and try with a
stable version. I found the PPA from tmortensen very nice, so that would be
my first stop.
looking at http://ubuntu.adiscon.com/v7-devel/ and there is no
quantal release there, it seems that precise and unstable were just
updated though (i.e. they don't seem stale, just the version is old).
similar for https://launchpad.net/~tmortensen/+archive/rsyslogv7 -
only natty and precise packages are there (except of librelp -
1.0.3-0ubuntu1ppa1q which is available for quantal as well)
the last one
https://launchpad.net/~gchinis/+archive/rsyslog7/+packages says it's
"rsyslog version 7 for quantal" however when looking at the packages
they are for lucid, precise and natty.
do I just add the repository as deb
http://ubuntu.adiscon.com/v7-devel precise/ and hope it's going to work
for quantal as well? Are packages for quantal (and raring) coming soon?
thanks!
erik
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
