Hi, A few more questions from me, this time regarding the transport of GELF, not the message format.
Clients seem to send GELF over UDP, TCP (and even HTTP!) and compress messages via GZIP or ZLIB (this is in the GELF specs <https://www.graylog.org/resources/gelf/>). What's more, it also allows clients to send messages in chunks. Ignoring HTTP for now, rsyslog (more precisely, imptcp and imudp) doesn't seem to understand content sent GZIPed or ZLIBed. If we add chunks in the mix, it sounds to me that in order to properly support GELF ingestion (compression, chunks, HTTP) we'd need an "imgelf" that would understand these things. So my questions are: - do you think imgelf would be the right approach? Or changing imptcp and imudp to work with chunks and compression? Assuming the right configuration, of course - do you think there would be interest for such a contribution in rsyslog? Is there anyone (else) already looking into it? Best regards, Radu -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/ On Thu, Oct 1, 2015 at 8:07 AM, Ciprian Hacman <[email protected]> wrote: > Hi, > > I tried to add GELF parsing to our servers but I have no idea how to > process the timestamp. > > GELF requires timestamp to be in "Seconds since UNIX epoch with optional > decimal places for milliseconds". > https://www.graylog.org/resources/gelf/ > > Extracting it is not an issue, but is there a way to convert it to > something like RFC3339? > > Thanks, > Ciprian > > -- > Performance Monitoring * Log Analytics * Search Analytics > Solr & Elasticsearch Support * http://sematext.com/ > > On Fri, Sep 25, 2015 at 12:29 AM, Otis Gospodnetić < > [email protected]> wrote: > > > Awesome, thanks Dave! > > > > Otis > > -- > > Monitoring * Alerting * Anomaly Detection * Centralized Log Management > > Solr & Elasticsearch Support * http://sematext.com/ > > > > > > On Thu, Sep 24, 2015 at 1:53 AM, David Lang <[email protected]> wrote: > > > > > On Wed, 23 Sep 2015, Otis Gospodnetić wrote: > > > > > > Hi, > > >> > > >> I'm looking into whether we can use rsyslog in Logsene > > >> <http://sematext.com/logsene> to accept and parse logs in GELF? > > >> > > >> I found https://github.com/rsyslog/rsyslog/issues/292 , but that > issue > > >> seems to be focused on *outputting* "GELFified" logs, while I'm > looking > > at > > >> the "ingest" side of rsyslog. > > >> > > >> Does rsyslog have any support for that? > > >> Just a matter of configuring the parsing of it? > > >> > > >> I looked at http://search-devops.com/?q=gelf&fc_project=Rsyslog but > > >> didn't > > >> see anything addressing this. > > >> > > > > > > mmnormalize and liblognorm have a GLEF parser in the most recent > versions > > > (1.1.2 and 2.0.0 of liblognorm, requires rsyslog 8.13) > > > > > > David Lang > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
