On Thu, 23 Feb 2017, Alec Swan via rsyslog wrote:
Liblognorm v2 supports json parser but it looks like it cannot be applied
to the entire log message, which is sad.
sure it can.
you can configure mmnormalize to pass $msg to the parser engine, $rawmsg, or
$!whatever.
If your messages arrive in different formats, you can do a couple of things.
1. do a 2-stage parse where you first check the raw message, and if it's not
parsed successfully, pass it to a ruleset that parses $msg
2. create a ruleset that parses the headers for the different formats
3. try to create a standard format that you then parse
I did a combination of these. I first did a mmnormalize call that checked if the
message was raw json, if so I parsed it.
I then created a 'standard message' format that contained hostname and syslogtag
as well as $msg (I really wanted to be able to include syslogtag in my parsing
rules and sometimes hostname is misparsed if the input is malformed enough) as
$.msg and passed that to mmnormalize with my main ruleset.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
