Hi,
I am trying to get mmnormalize work with examples given in liblognorm
documentation
<https://github.com/rsyslog/liblognorm/blob/master/doc/configuration.rst#json>.
I tried a couple but could not get it to work. What is missing or how can I
get mmnormalize to parse text as expected?
*System Details:*
Ubuntu, rsyslog 8.39.0, installed mmnormalize separately using
rsyslog-mmnormalize
*Rulebase:*
File name: txtrulebase.rb
version=2
# {"f1": "1"} interim text {"f2": 2}
rule=:%field1:json%interim text %field2:json%'
*Output:*
As shown below attribute between "_log_" and "msg" is blank. This is where
I inserted output that comes from mmnormalize.
{"appName":"-", "hostname":"host-name-1",
"event":[{"payload":{"_log_":"catalina", ,"msg":"{\"f1\": \"1\"} interim
text {\"f2\": 2}"}}]}
*Input text in catalina.out*
{"f1": "1"} interim text {"f2": 2}
*rsyslog.conf*
# Load Modules
module (load="imfile" mode="inotify") # for text file with inotify
instead of pulling
module (load="builtin:omfile" dirCreateMode="0775" fileCreateMode="0664" )
module(load="mmnormalize") # text parsing
# RAW - don't format
template(name="ulog-raw-format" type="list") {
property(name="msg" droplastlf="on")
constant(value="\n")
}
# Template for plain text formatted log messages.
template(name="ulog-text-format" type="list") {
constant(value="{")
property(outname="appName" name="procid" format="jsonf")
constant(value=", ")
property(outname="hostname" name="hostname" format="jsonf")
constant(value=", ")
constant(value="\"event\":[{")
#property(outname="uuid" name="msgid" format="jsonf")
constant(value=", ")
constant(value="\"payload\":{")
property(outname="_log_" name="syslogtag" format="jsonf")
constant(value=", ")
#property(name="$!usr!rcvdat" outname="dt1" format="jsonf")
constant(value=", ")
#property(name="$!usr!company" outname="company"
format="jsonf") constant(value=", ")
property(name="$!usr!field1" outname="field2" format="json")
constant(value=",")
property(name="msg" format="jsonf" droplastlf="on" )
constant(value="}")
constant(value="}]} \n")
}
# the main attraction
ruleset(name="catalina-ruleset"
queue.type="fixedArray"
queue.size="250000"
) {
action(type="omfile" template="ulog-raw-format"
File="/apps/tomcat/logs/rawcatalina.out" ioBufferSize="64k"
flushOnTXEnd="off" asyncWriting="on")
action(type="mmnormalize" rulebase="/etc/rsyslog.d/txtrulebase.rb"
userawmsg="on")
action(type="omfile" template="ulog-text-format"
File="/apps/tomcat/logs/textp.out" ioBufferSize="64k" flushOnTXEnd="off"
asyncWriting="on")
}
input(type="imfile" File="/apps/tomcat/logs/catalina.out" Tag="catalina"
ruleset="catalina-ruleset" readMode="2" escapeLF="off"
reopenOnTruncate="on")
Thank you,
Lavanya K
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
