I put this line in my config:
$template JSONCEE,
"{\"msg\":\"%msg:::json%\",\"pname\":\"%programname%\",\"host\":\"%HOSTNAME:::json%\",\"syslog!fac\":\"%syslogfacility%\",\"syslog!pri\":\"%syslogpriority%\",\"time\":\"%timereported:::date-rfc3339%\"}"
and selected it in the action for omelasticsearch:
local2.* action(type="omelasticsearch"
template="JSONCEE")
Notice that in the CEE profile[1], the following are mandatory, they are
not the same as the names used in the rsyslog default template:
host
pname
time
msg
I tested this for regular Syslog events coming from a non-CEE source
Regards,
Daniel
On 09/07/2021 17:47, Daniel Pocock wrote:
>
>
>
> https://www.rsyslog.com/files/temp/doc-indent/configuration/modules/omelasticsearch.html
>
>
> Default value of template=" ... " is
>
> $template JSONDefault,
> "{\"message\":\"%msg:::json%\",\"fromhost\":\"%HOSTNAME:::json%\",\"facility\":\"%syslogfacility-text%\",\"priority\":\"%syslogpriority-text%\",\"timereported\":\"%timereported:::date-rfc3339%\",\"timegenerated\":\"%timegenerated:::date-rfc3339%\"}"
>
>
>
> This does not look like JSON CEE
>
> Therefore, if other applications are submitting CEE events[1] to
> rsyslog, they do not use the same field names
>
> Which JSON schema (if any) does the JSONDefault value attempt to comply
> with?
>
> Is there a recommended value of JSONDefault for CEE fields?
>
> Regards,
>
> Daniel
>
> 1. https://cee.mitre.org/language/1.0-beta1/core-profile.html
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
