On 9/18/2017 12:02 PM, David Lang wrote:
to send in JSON you need to create a custom template
I use something like (typed from memory, may be errors)
$template structured,"<%pri%>%timestamp% %hostname% %syslogtag% %$!%\n"
Thanks for that. I found many examples where the templates were defined
with the new syntax and using the list type. Other than how the template
is put together piece by piece, is there an advantage of one over the other?
getting things into different variables so that the result looks
reasonable takes a little more effort.
Different variables on the receiving side?
If what you are getting is json in the msg field to start with, you can
use mmjsonparse (but you may need to set the cee cookie to "" to parse
things correctly)
If I am sourcing the local log socket on the rsyslog client nodes, I
assume that they're in the older syslog format? In that case, I have to
use a template like the one you provided to send the content over in a
format that rsyslog expects?
One part I'm not yet following is the use of either $! or all-json in
the templates for sending messages to a remote node. Is that object (for
lack of another word) populated using a template or mmjsonparse?
If you are getting anything else, then you need to use mmnormalize to
parse the message.
So mmnormalize to convert syslog messages into JSON and then use the
template you provided to ship in syslog format with the $! representing
the parsed JSON data as the trailing portion of the message?
Just trying to make sure I understand how $! is constructed.
on the sending system, log locally using RSYSLOG_DebugFormat and you
will be able to see what is in $! (and what else is known about the
message)
Thanks. That is actually one way that I was able to see that at one
point during my testing that $! contained a string value for msg instead
of JSON as expected.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
