Re: [rsyslog] Json (CEE?) logging using rsyslog

Sun, 21 Apr 2013 21:35:52 -0700 

On 04/19/2013 09:39 PM, David Lang wrote:

On Fri, 19 Apr 2013, Erik Steffl wrote:


 Trying to figure out how to use JSON when logging using rsyslog.
Would like to have both incoming and outgoing messages be in JSON.

 It seems that incoming messages should be CEE messages, something
like @cee:{"f:":"1", "msg":"some text"}

 For outgoing message there would be a template defined that uses
$!all-json (parsed incoming message) and is in JSON format.

 As far as I can tell I need the mmjsonparse module.

 Is there a good example/explanation somewhere for a similar scenario?
I see the above terms used in number of places I found on the net but
they are very fragmented and lot of them seem to be outdated.

 Example config I came up with:

module(load="mmjsonparse")
$template text, "{\"message\":\"%msg%\"}\n"
$template json, "{\"message\":\"%$!all-json%\"}\n"
local0.* mmjsonparse
& /var/log/erikTest.log;json
& /var/log/erikTest.log;text
& ~

Testing using: logger --priority local0.notice --id '@cee:{"f:":"1",
"msg":"some text"}'

Result (in /var/log/erikTest.log):

{"message":"**INVALID PROPERTY NAME**$!all-json**INVALID PROPERTY
NAME**"}
{"message":" @cee:{"f:":"1", "msg":"some text"}"}

 This is on Ubuntu 12.10 using Ubuntu rsyslog 5.8.6-1ubuntu9.1

 Is this too old for $!all-json? Am I using it incorrectly?
Help/pointers appreciated on how to solve this, how to troubleshoot etc.


Yes, 5.x is _way_ too old for JSON, you need to be using a 7.x version,
and I would _strongly_ recommend using the latest development right now.
The change rate recently has been very high.


  what's a preferred way to get v7 (in ubuntu)? I see that there are:

  - http://www.rsyslog.com/ubuntu-repository/ (says it's experimental)

  - https://launchpad.net/~tmortensen/+archive/rsyslogv7
- https://launchpad.net/~gchinis/+archive/rsyslog7 (looks like subset of the previous one but slightly different versions) 

  - just download/compile?

  thanks!

        erik
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to