On Thu, 18 Jun 2015, Rainer Gerhards wrote:
2015-06-18 8:31 GMT+02:00 David Lang <[email protected]>:
There are so many cases where someone needs to override something in the
default template (bad hostname, bad programname, etc) that having to create
a custom tempalte for each thing gets to be a hassle.
I'd like to propose that we have some templates that are exactly the same as
the default ones, but that look (for example) for $.hostname and if it's
set, use that instead of $hostname. Have this setup for everything in the
default template set.
I don't know if we dare to do this to the existing templates, or if these
would need to be new templates. If new, could they be built-in, or should
they be string modules that are explicitly loaded (and if string modules,
could they override the default definitions??)
This doesn't sound too trivial.
currently the prebuilt templates probably do something along the lines of
buff++ = '<'
strcpy(pri,buff)
buff = buff + len(pri)
strcopy(timestamp,buff)
buff = buff + len(timestamp)
etc
(with stuff to make the timestamp a string from it's internal representation,
etc)
this would change it so instead of the lines
strcopy(timestamp,buff)
buff = buff + len(timestamp)
it would be something like
if exists("$.timestamp") {
strcopy("$.timestamp",buff)
buff = buff + len("$.timestamp")
} else {
strcopy(timestamp,buff)
buff = buff + len(timestamp)
}
(obviously with the function call to find where $.timestamp is, etc)
so it is a little verbose, but assuming that there are some reasonable functions
to look for a variable and find it's length, I'm not seeing it as something that
messy.
I also think that we need to have a couple of JSON based templates:
file and forwarding versions of the base templates that use $! for the
message body instead of $msg (do we need a version with '@cee:? or can we
modify mmjsonparse to have an option to no longer require that now that cee
is dead?)
Either way is possible, and adding such a thing *is* trivial.
and finally a template that is just "$!\n" to use when forwarding to other
tools (nxlog, logstash, etc)
do we really need this? As of my understanding, they thros the \n away
in json parsing. Or do you mean as part of TCP syslog framing?
if not "%!\n" then "$!". I was thinking to include the \n in the template so
that writing it to disk gets you one line per json message. by default, logstash
does no framing of it's JSON input/output, it's just JSON messages strung
together, the only framing is the structure of the message (relying on TCP
checksums to avoid corruption and assuming the sender never makes a mistake)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
