2013/4/20 David Lang <[email protected]>
> On Fri, 19 Apr 2013, Erik Steffl wrote:
>
> Trying to figure out how to use JSON when logging using rsyslog. Would
>> like to have both incoming and outgoing messages be in JSON.
>>
>> It seems that incoming messages should be CEE messages, something like
>> @cee:{"f:":"1", "msg":"some text"}
>>
>> For outgoing message there would be a template defined that uses
>> $!all-json (parsed incoming message) and is in JSON format.
>>
>> As far as I can tell I need the mmjsonparse module.
>>
>> Is there a good example/explanation somewhere for a similar scenario? I
>> see the above terms used in number of places I found on the net but they
>> are very fragmented and lot of them seem to be outdated.
>>
>> Example config I came up with:
>>
>> module(load="mmjsonparse")
>> $template text, "{\"message\":\"%msg%\"}\n"
>> $template json, "{\"message\":\"%$!all-json%\"**}\n"
>> local0.* mmjsonparse
>> & /var/log/erikTest.log;json
>> & /var/log/erikTest.log;text
>> & ~
>>
>> Testing using: logger --priority local0.notice --id '@cee:{"f:":"1",
>> "msg":"some text"}'
>>
>> Result (in /var/log/erikTest.log):
>>
>> {"message":"**INVALID PROPERTY NAME**$!all-json**INVALID PROPERTY NAME**"}
>> {"message":" @cee:{"f:":"1", "msg":"some text"}"}
>>
>> This is on Ubuntu 12.10 using Ubuntu rsyslog 5.8.6-1ubuntu9.1
>>
>> Is this too old for $!all-json? Am I using it incorrectly? Help/pointers
>> appreciated on how to solve this, how to troubleshoot etc.
>>
>
> Yes, 5.x is _way_ too old for JSON, you need to be using a 7.x version,
> and I would _strongly_ recommend using the latest development right now.
> The change rate recently has been very high.
>
> David Lang
>
>
>
Also, when you write templates for output as JSON, make sure characters
like the double quotes get escaped. With your example:
$template text, "{\"message\":\"%msg%\"}\n"
You can see that if the message contains quotes they won't get escaped and
you won't have a valid JSON. So you'll need to do something like this
instead:
$template text, "{\"message\":\"%msg:::json%\"}\n"
In the v7 template format, it looks a bit nicer. Something like this:
template(name="text"
type="list") {
constant(value="{\"@message\":\"")
property(name="msg" format="json")
constant(value="\"}")
}
And if you want to see if the message you received is CEE or not, you can
use the "parsesuccess" property. For example:
*.* :mmjsonparse:
if $parsesuccess == "OK" then action(
#do something here with CEE-formatted logs
);
else action(
#do something here with plain logs
);
Best regards,
Radu
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
