On Wed, 6 Apr 2016, Matt Ford wrote:
Hi,
I'm sending syslog data that's formatted as json via a rsyslog
template to kafka. Works great.
Most of the applications in my infrastructure (there are many) also
write logging output to files as JSON (one long json string per line).
I'd love to be able to use this data in a template in Rsyslog but I'm
not sure how. The logging lines are not @cee tagged and that won't be
changed :-(
Ideally something like this - any pointers, anyone, on what I might do?
```
action(type="mmjsonparse") # parse CEE-formatted messages
template(name="syslog-cee" type="list") { # Elasticsearch documents
will contain
property(name="$!all-json") # all JSON fields that were parsed
}
```
liblognorm v2 supports non cee json, so you would have a rule something like
rule=: @cee:%.:json%
rule=: %.:json%
and then use mmnormalize to parse the rule and all the info will show up under
$!
by the way, look at what's in $! vs $!all-json. I believe that the latter
includes multiple copies of many things.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
