On Mon, 21 Sep 2015, Otis Gospodnetić wrote:
Hi,
Some of us here at Sematext debated the adoption of RFC 5424. So instead
of guessing, we thought we'd conduct a 1-question poll :)
http://blog.sematext.com/2015/09/21/poll-how-do-you-ship-your-logs/
Oh, and try to guess before peeking at the results! :)
It's not really clear what the difference between 'plain text oriented logs' and
the old rfc are.
it's also possible to use rfc5424 with no strcutured data in it (what I see most
frequently), so this is really the equivalent to the first two.
shipping JSON logs can be done by shipping pure JSON with no headers (the way
logstash pushes you to do) and shipping JSON as the body of the message in a RFC
compliant syslog message.
I actually do a combination of things.
the first hop from the device generating the log message is generally plain
syslog (old or new depending on the sender. I'm finding that some senders
support both but truncate the log to 1k if using the old format, but not if
using rfc5424, but still with no structured data)
then my relays wrap the original message in JSON so they can add some metadata
and ship the logs to my central servers
At the central servers the logs get parsed and a lot more JSON data shows up,
the resulting, larger JSON gets shipped to different analysis engines.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
