In doing some work with mmjsonparse, I could not find any examples of what logs
need to look like to be successfully parsed with 7.5.2 I finally found a video
that Rainer made that said that it needed to have @cee: at the begining of the
message, but I could not find anything that said this in the rsyslog
documentation.
In dealing with this sort of issue, I would like to suggest an enhancement for
mmjsonparse and mmnormalize
today these modules get work only on $msg (although mmnormalize has a parameter
that indicates that it may work on $rawmsg)
Ranier has already indicated that he is thinking about adding a parameter that
would be added as a prefix to whatever gets parsed (so you could parse to
$!parsed!stuff instead of $!stuff)
I would like to suggest adding another parameter to the calls to these modules
that overrides the default to parse $msg and lets you parse any other variable
instead,
This would obsolete the flag to have mmnormalize parse $rawmsg, but since the
new option can emulate the old, it should be a simple special case for the
config optimizer.
another option that I thought of, but that would probbly be more work, would be
to have these modules take a template parameter, if there is no template
provided, default to the existing 'template' of "%msg%"
for mmjsonparse, I would also like to see a parameter that could be specified
that would override the requirement for the @cee: cookie. There are a lot of
things where using JSON is very useful that are not going to comply with the cee
standards, forcing people to like and claim to be cee will just undermine the
value of cee when they do get some standard available.
In fighting this issue today, I got confused by the fact that even though the
mmjsonparse was failing, I was still getting content in templates that had
"%$!msg%", I would have expected that to be blank if the parse failed
My configuration
sender is logging with the format of
"<%pri%>%timestamp% %hostname% %syslogtag% %$!%\n"
the reciever is parsing the message and writing to two files, one with the
format of "%timestamp% %hostname% %syslogtag% %$!msg%\n" (for things that want
traditional logs) and another with the default format (for things that can use
the extra data)
as a work-around, I changed the sender's format to be
"<%pri%>%timestamp% %hostname% %syslogtag% @cee:%$!%\n"
but this is going to cause me grief later when I have analysis tools that reqlly
do understand what cee is and look for that tag to tell them that they can use
that standard.
The funny thing is that I did some testing of these configs several weeks ago
with 7.4 and I could have sworn that they worked at that point (without @cee:)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
