Re: [rsyslog] ISO timestamp, mmnormalize, and omelasticsearch for LogStash

Sun, 24 Nov 2013 22:15:21 -0800 

On Mon, 25 Nov 2013, Pavel Levshin wrote:
At first, you need to check if mmnormalize is able to parse logs with your rulebase. This could be done with 'lognormalizer' utility, or, probably, using 'RSYSLOG_DebugFormat' template. Once you see parsed properties in the output, we can move further. 


What looks strange for me, you have opening but not closing quote marks in 
you templates, below.



good catch, that's probably the bug. in most of the constant declarations, he 
probably needs to add '\" ' before the '\"@' portion.



when fighting problems like this it's always a good idea to write to a simple 
file with the template that you are trying to use (adding linefeeds as needed to 
the template to make things readable)


David Lang



--
Pavel Levshin


25.11.2013 8:43, Eric Renfro:

Hmm, I hadn't thought to try !variablename in template properties.. Like 
this?


template(name="logstash-accesslog"
          type="list"
          option.json="on") {
            constant(value="{")

              constant(value="\"@timestamp\":\"") 
property(name="timereported" dateFormat="rfc3339")
              constant(value="\"@fields.bytes\":\"") 
property(name="!bytesend")
              constant(value="\"@fields.clientip\":\"") 
property(name="!ip")
              constant(value="\"@fields.method\":\"") 
property(name="!method")
              constant(value="\"@fields.request\":\"") 
property(name="!url")
              constant(value="\"@message\":\"") 
property(name="msg" position.from="2" spifno1stsp="off")
              constant(value="\"@source_host\":\"") 
property(name="hostname")
              constant(value="\"@vhost\":\"") 
property(name="!vhost")
              constant(value="\"host\":\"") 
property(name="fromhost-ip")

            constant(value="\"}")
          }


But, still, so far this doesn't seem to be working at all. I get nothing in 
my elasticsearch under the expected document type.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to