On 01/23/2014 03:04 PM, Radu Gheorghe wrote:
> Hi,
>
> That's weird, I thought the "json" option would do exactly that. It
> certainly works with version 7+, take a look here:
> http://blog.sematext.com/2013/07/01/recipe-rsyslog-elasticsearch-kibana/
>
> What version are you using?
I am using 7.4.6 and there are no problems passing the data to
elasticsearch.
But I am passing it to logstash via udp-syslog which then passes the
data to elasicsearch since I have some really neat plugins in logstash
that I cannot live without.
I should try to define the template in the same way that you do and see
if that makes a difference on how the field is defined.
For now I have made a really ugly solution that seems to work by
stripping off the doublequotes.
$template
ls_json,"{%timereported:::date-rfc3339,jsonf:timestamp%,%source:::jsonf:@source_host%,\"@source\":\"syslog://%fromhost-ip:::json%\",\"@message\":\"%msg:R,BRE,1,BLANK,0:\([^\"]*\)\"*--end%%msg:R,BRE,1,BLANK,1:\([^\"]*\)\"--end%%msg:R,BRE,1,BLANK,2:\([^\"]*\)\"--end%%msg:R,BRE,1,BLANK,3:\([^\"]*\)\"--end%%msg:R,BRE,1,BLANK,4:\([^\"]*\)\"--end%%msg:R,BRE,1,BLANK,5:\([^\"]*\)\"--end%%msg:R,BRE,1,BLANK,6:\([^\"]*\)\"--end%%msg:R,BRE,1,BLANK,7:\([^\"]*\)\"--end%%msg:R,BRE,1,BLANK,8:\([^\"]*\)\"--end%%msg:R,BRE,1,BLANK,9:\([^\"]*\)\"--end%\",\"@fields\":{%syslogfacility-text:::jsonf:facility%,%syslogseverity-text:::jsonf:severity%,%app-name:::jsonf:program%,%procid:::jsonf:processid%,%fromhost:::jsonf%,%fromhost-ip:::jsonf%}}"
>
> 2014/1/22 Per-Erik Persson <[email protected]>
>
>> I am passing data from rsyslog to logstash and to pass on some special
>> fields I need to jsonencapsulate the data.
>> It is passed via syslog to logstash since this seems to be the only
>> format working at the moment.
>>
>> My template looks like this:
>> $template
>>
>> ls_json,"{%timereported:::date-rfc3339,jsonf:timestamp%,%source:::jsonf:@source_host
>> %,\"@source\":\"syslog://%fromhost-ip:::json%\",\"@message\":\"%msg::::json%\",\"@fields\":{%syslogfacility-text:::jsonf:facility%,%syslogseverity-text:::jsonf:severity%,%app-name:::jsonf:program%,%procid:::jsonf:processid%,%fromhost:::jsonf%,%fromhost-ip:::jsonf%}}"
>>
>> Not surprisingly it barfs when the msg field contains an double quote "
>> Is it possible to "pre-escape" the doublequote to be \" within the msg
>> field?
>> At least I assume that would be the easiest way to do it.
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
