[rsyslog] Any good guides for generating JSON formatted log messages on rsyslog client nodes for processing on rsyslog receiver node?

rsyslog-users-lists.adiscon.net at whyaskwhy.org rsyslog-users-lists.adiscon.net at whyaskwhy.org
Tue Sep 19 04:45:40 CEST 2017


On 9/18/2017 12:02 PM, David Lang wrote:
> to send in JSON you need to create a custom template
> 
> I use something like (typed from memory, may be errors)
> $template structured,"<%pri%>%timestamp% %hostname% %syslogtag% %$!%\n"

Thanks for that. I found many examples where the templates were defined 
with the new syntax and using the list type. Other than how the template 
is put together piece by piece, is there an advantage of one over the other?

> getting things into different variables so that the result looks 
> reasonable takes a little more effort.

Different variables on the receiving side?

> 
> If what you are getting is json in the msg field to start with, you can 
> use mmjsonparse (but you may need to set the cee cookie to "" to parse 
> things correctly)

If I am sourcing the local log socket on the rsyslog client nodes, I 
assume that they're in the older syslog format? In that case, I have to 
use a template like the one you provided to send the content over in a 
format that rsyslog expects?

One part I'm not yet following is the use of either $! or all-json in 
the templates for sending messages to a remote node. Is that object (for 
lack of another word) populated using a template or mmjsonparse?

> If you are getting anything else, then you need to use mmnormalize to 
> parse the message.

So mmnormalize to convert syslog messages into JSON and then use the 
template you provided to ship in syslog format with the $! representing 
the parsed JSON data as the trailing portion of the message?

Just trying to make sure I understand how $! is constructed.

> on the sending system, log locally using RSYSLOG_DebugFormat and you 
> will be able to see what is in $! (and what else is known about the 
> message)
Thanks. That is actually one way that I was able to see that at one 
point during my testing that $! contained a string value for msg instead 
of JSON as expected.


More information about the rsyslog mailing list