[rsyslog] R: Re: received json log format

Wed, 01 Mar 2023 07:44:35 -0800 

Hi David
til the vendor have't changed the log ouput format I received the logs with this: 

# Add this to reset the umask#
$umask 0000

#BEGIN TEMPLATE

#template to add source ip
template( name="addFrmHstUDP" type="list")
{
        property( name="fromhost-ip" )
        constant( value=" " )
        property( name="msg" )
        constant( value="\n" )
}

#template set log filename
template( name="rmt_sys_netlogs_udp" type="list")
{
        property( name="$.mstoredir" )
        constant( value="/" )
        property( name="$.mprefix" )
        constant( value="." )
        property( name="timegenerated" dateformat="year" )
        property( name="timegenerated" dateformat="month" )
        property( name="timegenerated" dateformat="day" )
        property( name="timegenerated" dateformat="hour" )
        constant( value="00" )
}
#END TEMPLATE

ruleset( name="udp-netlogs-tool"){
        reset $.mstoredir = "/data/logs;
        action( name="logs-udp"
                type="omfile"
                DynaFile="rmt_sys_netlogs_udp"
                DirOwner="root"
                DirGroup="netlogs"
                FileOwner="root"
                FileGroup="netlogs"
                DirCreateMode="0750"
                FileCreateMode="0640"
                template="addFrmHstUDP"
                closeTimeout="2"
                dynaFileCacheSize="2"
        )
}

ruleset( name="dp65309udp" )
{
        reset $.mprefix = "public2;
        call udp-netlogs-tool
}

Now I receive the log that I have show you.

Cheers,
Maurizio
   ------ Messaggio Originale ------
   Da: da...@lang.hm
   A: rsyslog@lists.adiscon.com
Cc: ama...@tin.it
   Inviato: mercoledì 1 marzo 2023 14:10
   Oggetto: Re: [rsyslog] received json log format


         please post your config so we can understand if what youa re 
showing us is the result of your config or what is being sent to you.



 If it's what is being sent to you, you would use mmnormalize to parse 
it into variables, then create a custom template to assemble the message 
format that you want to write out and then output the message with your 
template


 David Lang

 On Wed, 1 Mar 2023, amaury--- via rsyslog wrote:

 > Date: Wed, 1 Mar 2023 14:01:49 +0100 (CET)
 > From: amaury--- via rsyslog <rsyslog@lists.adiscon.com>
 > To: rsyslog@lists.adiscon.com
 > Cc: "ama...@tin.it"
 > Subject: [rsyslog] received json log format
 >
 > Hello
 > I receive on rsyslog-8.2102 log json format like this:
 > LogRecord {id='null', date=1677669932610,
 > applicationInstanceId='5fc42f05-36ab-45ff-908d-e7b978a88269',

 > domainName='public', serverIp='null', serverPort=null, 
clientIp='null',
 > clientPort=null, sessionId='null', username='null', 
clientRequest='null',

 > clientMessage='null', serverStatus='trigger completed',
 > serverMessage='trigger=move document;
 > eventId=8a8d22d9-fd5c-451b-817b-699c706db5d6', inboundBytes=null,
 > outboundBytes=null}
 > LogRecord {id='null', date=1677669932644,
 > applicationInstanceId='5fc42f05-36ab-45ff-908d-e7b978a88269',
 > domainName='public', serverIp='ddd.ddd.ddd.ddd', serverPort=hhhh,
 > clientIp='kkk.kkk.kkk.kkk', clientPort=9999,
 > sessionId='134e7eed-af8b-48a5-bd7c-0cb48013dfda', username='user01',

 > clientRequest='null', clientMessage='null', serverStatus='logged 
out',

 > serverMessage='null', inboundBytes=null, outboundBytes=null}
 > LogRecord {id='null', date=1677669932645,
 > applicationInstanceId='5fc42f05-36ab-45ff-908d-e7b978a88269',
 > domainName='public', serverIp='ddd.ddd.ddd.ddd', serverPort=hhhh,
 > clientIp='kkk.kkk.kkk.kkk', clientPort=9999,
 > sessionId='134e7eed-af8b-48a5-bd7c-0cb48013dfda', username='user01',

 > clientRequest='null', clientMessage='null', serverStatus='session 
closed',

 > serverMessage='SFTP/SCP', inboundBytes=null, outboundBytes=null}
 >
 > Please how I can to convert rewrite in log file something like

 > null 1677669932610 5fc42f05-36ab-45ff-908d-e7b978a88269 public null 
null null

 > null null null null trigger completed trigger=move document
 > 8a8d22d9-fd5c-451b-817b-699c706db5d6 null null
 > ?
 > Thank you
 > Maurizio
 > _______________________________________________
 > rsyslog mailing list
 > https://lists.adiscon.net/mailman/listinfo/rsyslog
 > http://www.rsyslog.com/professional-services/
 > What's up with rsyslog? Follow https://twitter.com/rgerhards

 > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of
 > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you 
DON'T

 > LIKE THAT.
 >




_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.





















					Reply via email to