2016-04-06 20:50 GMT+02:00 David Lang <[email protected]>: > On Wed, 6 Apr 2016, Matt Ford wrote: > >> Hi, >> >> I'm sending syslog data that's formatted as json via a rsyslog >> template to kafka. Works great. >> >> Most of the applications in my infrastructure (there are many) also >> write logging output to files as JSON (one long json string per line). >> >> I'd love to be able to use this data in a template in Rsyslog but I'm >> not sure how. The logging lines are not @cee tagged and that won't be >> changed :-( >> >> Ideally something like this - any pointers, anyone, on what I might do? >> >> ``` >> action(type="mmjsonparse") # parse CEE-formatted messages >> >> template(name="syslog-cee" type="list") { # Elasticsearch documents >> will contain >> property(name="$!all-json") # all JSON fields that were >> parsed >> } >> ``` > > > liblognorm v2 supports non cee json, so you would have a rule something like > > rule=: @cee:%.:json% > rule=: %.:json% > > and then use mmnormalize to parse the rule and all the info will show up > under $! > > by the way, look at what's in $! vs $!all-json. I believe that the latter > includes multiple copies of many things.
It probably makes sense to add some direct support to mmjsonparse, more details at https://github.com/rsyslog/rsyslog/issues/940 Rainer > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
