At first, you need to check if mmnormalize is able to parse logs with
your rulebase. This could be done with 'lognormalizer' utility, or,
probably, using 'RSYSLOG_DebugFormat' template. Once you see parsed
properties in the output, we can move further.
What looks strange for me, you have opening but not closing quote marks
in you templates, below.
--
Pavel Levshin
25.11.2013 8:43, Eric Renfro:
Hmm, I hadn't thought to try !variablename in template properties.. Like this?
template(name="logstash-accesslog"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported"
dateFormat="rfc3339")
constant(value="\"@fields.bytes\":\"")
property(name="!bytesend")
constant(value="\"@fields.clientip\":\"") property(name="!ip")
constant(value="\"@fields.method\":\"")
property(name="!method")
constant(value="\"@fields.request\":\"") property(name="!url")
constant(value="\"@message\":\"") property(name="msg"
position.from="2" spifno1stsp="off")
constant(value="\"@source_host\":\"")
property(name="hostname")
constant(value="\"@vhost\":\"")
property(name="!vhost")
constant(value="\"host\":\"")
property(name="fromhost-ip")
constant(value="\"}")
}
But, still, so far this doesn't seem to be working at all. I get nothing in my
elasticsearch under the expected document type.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
