That's awesome: I got it working with mmnormalize and think the github issue is a much more natural way also :-)
On 7 April 2016 at 10:14, Rainer Gerhards <[email protected]> wrote: > 2016-04-06 20:50 GMT+02:00 David Lang <[email protected]>: >> On Wed, 6 Apr 2016, Matt Ford wrote: >> >>> Hi, >>> >>> I'm sending syslog data that's formatted as json via a rsyslog >>> template to kafka. Works great. >>> >>> Most of the applications in my infrastructure (there are many) also >>> write logging output to files as JSON (one long json string per line). >>> >>> I'd love to be able to use this data in a template in Rsyslog but I'm >>> not sure how. The logging lines are not @cee tagged and that won't be >>> changed :-( >>> >>> Ideally something like this - any pointers, anyone, on what I might do? >>> >>> ``` >>> action(type="mmjsonparse") # parse CEE-formatted messages >>> >>> template(name="syslog-cee" type="list") { # Elasticsearch documents >>> will contain >>> property(name="$!all-json") # all JSON fields that were >>> parsed >>> } >>> ``` >> >> >> liblognorm v2 supports non cee json, so you would have a rule something like >> >> rule=: @cee:%.:json% >> rule=: %.:json% >> >> and then use mmnormalize to parse the rule and all the info will show up >> under $! >> >> by the way, look at what's in $! vs $!all-json. I believe that the latter >> includes multiple copies of many things. > > It probably makes sense to add some direct support to mmjsonparse, > more details at > > https://github.com/rsyslog/rsyslog/issues/940 > > Rainer >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
