You could do something like this:
## Note the space, then curly brace
if $msg startswith " {" then {
action(type="mmjsonparse")
if $parsesuccess == "OK" then {
## Valid JSON log. Do stuff with JSON like
omelasticsearch or the like
} else {
## Message started with a curly brace but isn't JSON...
do more parsing and then look for parse success to properly parse and index
the data
}
} else {
## Message is a normal message, go and do more parsing, field
adding, etc...
}
Cheers,
JB
On Mon, Jun 1, 2020 at 1:27 PM John Chivian via rsyslog <
[email protected]> wrote:
> How to tell them apart? Evaluate the content of msg or rawmsg.
>
> The task overall is simpler if the JSON messages have a syslog header
> such that the JSON content is contained in the msg object. Otherwise
> expect some "interesting" content in the header fields unless a custom
> parser is written.
>
> How to translate plain text to JSON? This question is not complete enough.
>
> If you simply want the RFC5424 data fields written out in JSON format,
> then use one of the JSON encoding options in an output template.
> However, if the plain text object needs to be parsed for custom
> field/value pairs, then a message parser or normalization routine is
> needed.
>
> The nudge in the right direction is here...
> https://www.rsyslog.com/doc/v8-stable/
>
> Regards,
>
>
> On 6/1/20 11:55 AM, MAUPERTUIS, PHILIPPE via rsyslog wrote:
> > Hi list,
> > On a central log server, I need to be able to receive both json messages
> and old plain text messages.
> > I need to find out if the message is in syslog format or in json
> > What is the best way to do so ?
> > Then if it is a plain syslog message I need to translate it to json and
> add some fields.
> > How should I do that ?
> > I would appreciate any help pointing me in the right direction.
> > Philippe
> >
> > Worldline and equensWorldline are a registered trademarks and trading
> names owned by Worldline Group.
> > This e-mail and the documents attached are confidential and intended
> solely for the addressee. If you receive this e-mail in error, you are not
> authorized to copy, disclose, use or retain it. Please notify the sender
> immediately and delete this email from your systems. As emails may be
> intercepted, amended or lost, they are not secure. EquensWorldline and the
> Worldline Group therefore can accept no liability for any errors or their
> content. Although equensWorldline and the Worldline Group endeavours to
> maintain a virus-free network, we do not warrant that this transmission is
> virus-free and can accept no liability for any damages resulting from any
> virus transmitted. The risks are deemed to be accepted by everyone who
> communicates with equensWorldline and the Worldline Group by email
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
