On Apr 14, 2015, at 11:43 PM, David Lang <[email protected]> wrote:
> 
> On Wed, 15 Apr 2015, Ezell, Matthew A. wrote:
> 
>> 
>> Hello-
>> 
>> What is the current "best practice" for a portable application to get
>> structured data to rsyslog?
>> 
>> ... gets JSON printed to the log.  That may be undesirable in the common 
>> case.
> 
> the question is why it is undesirable and how much effort you are willing to 
> do 
> to fix the issue.
...
> What I do is I ask for the apps to output in JSON wherever possible, and I 
> don't 
> worry about creating a human friendly message in a text file. I write the 
> JSON 
> (or a subset of it) to the text file and if someone needs it prettier, they 
> can 
> read the JSON and convert it. 

For example: as long as there aren’t character set conversion issues such as 
writing Windows-1252 encoded strings into what should be UTF-8 JSON encoding, 
then tools like 'jq' <http://stedolan.github.io/jq/> are very helpful for 
pulling fields out of JSON-format logs.  It can be as simple as: pipe the file 
to "jq -r '.msg'" to get the raw logs back out.

> what I do is to take whatever message was output and then run mmjsonparse 
> against it. If it's cee JSON (insert grumble about the requirement for the 
> cee 
> cookie ;-) I have all the variables, but no $!msg field. If I have a $!msg 
> field, then I parse it using mmnormalize to extract variables from it. If 
> there 
> isn't a $!msg field, I set $!msg=$mesg so that I have something I can spit 
> out 
> when I'm doing a 'plain' logfile.
> 
> I also add metadata to the JSON (fromhost-ip, received time, hostname of 
> relay, 
> and an environment tag so that later on I can trivially tell the difference 
> between dev and prod copies of the same software)

We do something very similar to this, and I suspect so do other high-volume 
Rsyslog users such as Radu at Sematext.

I feel this should just be Rsyslog’s recommended operational practice.  If 
you’re building a log monitoring infrastructure today, this is how you should 
be doing it.  Free-form text syslog should be considered a legacy encoding that 
is of course still supported as an input format (and if you must, an output 
format).  Maybe we should put such a recommended config prominently on the 
Rsyslog web site to help overcome any lingering impressions that syslog is a 
legacy logging format that has been replaced by journald.

--
Dave Caplinger, Director of Architecture | Solutionary — An NTT Group Security 
Company

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to