Hi Mahesh,
Your template is suppose to output a valid JSON. Your message can be
whatever you want (JSON or not). Here's a reference:
http://blog.sematext.com/2013/05/28/structured-logging-with-rsyslog-and-elasticsearch/
A valid template would be this one:
template (name="apsimTemplate" type="list" option.json="on") {
constant(value="{")
constant(value="\"@message\":\"")
property(name="msg")
constant(value="\"}")
}
Which differs only a bit from the one you pasted, which had an extra quote
and comma before @message:
constant(value="\",\"@message\":\"") instead of
constant(value="\"@message\":\"")
Best regards,
Radu
2013/6/18 Mahesh V <[email protected]>
> Hello,
>
> i would like to know how to format the rsyslog message in the client
> programs to get it parsed by json to be entered
> in elasticsearch.
>
> My rsyslog.conf has the following entries
>
> template (name="apsimTemplate" type="list" option.json="on") {
> constant(value="{") constant(value="\",\"@message\":\"")
> property(name="msg") constant(value="\"}") }
>
> *.* action(type="omelasticsearch" template="apsimTemplate" )
>
>
> and I use syslog with the formatted message as shown here : syslog
> (LOG_NOTICE, "{ \"@message\":\"A tree falls in a forest %d\" }", i);
>
> But the entries do not show up in elasticsearch.log
>
> what am I missing?
>
> thanks
> Mahesh
>
>
>
>
> On Mon, Jun 17, 2013 at 7:16 PM, Mahesh V <[email protected]
> >wrote:
>
> > Hello Folks,
> >
> > if I put the below two lines in rsyslog.conf and run a simple executable
> > as shown
> > below I do not get any entries in elasticsearch logs.
> >
> > void main()
> > {
> > int i = 0;
> > setlogmask (LOG_UPTO (LOG_NOTICE));
> > openlog ("exampleprog", LOG_PID | LOG_NDELAY, LOG_DAEMON);
> > perror("openlog");
> > for(i = 0; i < 500000; i++) {
> > //syslog (LOG_NOTICE, "A tree falls in a forest %d", i);
> > syslog (LOG_NOTICE, "{ \"@message\":\"A tree falls in a
> > forest %d\" }", i);
> > //usleep(200);
> > }
> > closelog ();
> > }
> > template (name="apsimTemplate" type="list" option.json="on") {
> > constant(value="{") constant(value="\",\"@message\":\"")
> > property(name="msg") constant(value="\"}") }
> >
> > *.* action(type="omelasticsearch" template="apsimTemplate" ) #
> > searchIndex="srchidx")
> >
> >
> > whereas if I put the below line in /etc/rsyslog.conf, the lines appear.
> > jasonlint validates the line in syslog function.
> >
> > *.* /var/log/elasticsearch/elasticsearch.log
> > What could be the issue?
> > thanks
> > Mahesh
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
