Ahh, Thanks Pavel! I hadn't noticed the JSON formatting error, I corrected the issue and solved that issue completely shortly after. :) I managed to come up with, thanks to everyone's help, and some continued tinkering still, with this:
http://linux-help.org/wiki/logging/advanced-rsyslog -- Eric Renfro (Psi-Jack) Linux-Help.org System Engineer On Sunday, November 24, 2013 10:14:00 PM David Lang wrote: > On Mon, 25 Nov 2013, Pavel Levshin wrote: > > > At first, you need to check if mmnormalize is able to parse logs with your > > rulebase. This could be done with 'lognormalizer' utility, or, probably, > > using 'RSYSLOG_DebugFormat' template. Once you see parsed properties in the > > output, we can move further. > > > > What looks strange for me, you have opening but not closing quote marks in > > you templates, below. > > good catch, that's probably the bug. in most of the constant declarations, he > probably needs to add '\" ' before the '\"@' portion. > > when fighting problems like this it's always a good idea to write to a simple > file with the template that you are trying to use (adding linefeeds as needed > to > the template to make things readable) > > David Lang > > > > > -- > > Pavel Levshin > > > > > > 25.11.2013 8:43, Eric Renfro: > >> Hmm, I hadn't thought to try !variablename in template properties.. Like > >> this? > >> > >> template(name="logstash-accesslog" > >> type="list" > >> option.json="on") { > >> constant(value="{") > >> constant(value="\"@timestamp\":\"") > >> property(name="timereported" dateFormat="rfc3339") > >> constant(value="\"@fields.bytes\":\"") > >> property(name="!bytesend") > >> constant(value="\"@fields.clientip\":\"") > >> property(name="!ip") > >> constant(value="\"@fields.method\":\"") > >> property(name="!method") > >> constant(value="\"@fields.request\":\"") > >> property(name="!url") > >> constant(value="\"@message\":\"") > >> property(name="msg" position.from="2" spifno1stsp="off") > >> constant(value="\"@source_host\":\"") > >> property(name="hostname") > >> constant(value="\"@vhost\":\"") > >> property(name="!vhost") > >> constant(value="\"host\":\"") > >> property(name="fromhost-ip") > >> constant(value="\"}") > >> } > >> > >> But, still, so far this doesn't seem to be working at all. I get nothing > >> in > >> my elasticsearch under the expected document type. > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
