[rsyslog-notify] Forum Thread: rsyslog hierarchical json into mongo - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Wed Feb 26 15:45:52 CET 2014 

User: dom_f 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24259#p24259

Message: 
----------
we have been using rsyslog to log to file successfully for some time.  I
have configured logging of all 'user' events to mongodb  as below:

[code:2z9z6hcr]
template(name="BSON" type="string" string="\"sys\" : \"%hostname%\",
\"time\" : \"%timereported:::rfc3339%\", \"time_rcvd\"
: \"%timegenerated:::rfc3339%\", \"msg\" : \"%msg%\",
\"syslog_fac\" : \"%syslogfacility%\", \"syslog_sever\" :
\"%syslogseverity%\", \"syslog_tag\" : \"%syslogtag%\", \"procid\"
: \"%programname%\", \"pid\" : \"%procid%\", \"level\" :
\"%syslogpriority-text%\"")

user.*                          action(type="ommongodb"
server="localhost" serverport="27017" db="log" uid="changed" pwd="changed"
collection="events" template="BSON")
[/code:2z9z6hcr]

This works successfully and I have the following examples in the logfile
[code:2z9z6hcr]Feb 26 14:20:52 dev1 {"timestamp": "2014-02-26
14:20:52.514562", "pid": 16303, "module":
"/home/dom/code/Controller/controller.py", "host":
"dev1.domain.com", "user": "dom", "frame2": null,
"frame1": null, "message_type": "cpu", "token":
"2708fee4059d458870a2434360a9c2aed81dc748", "type": "log", "cpu":
0.38}
[/code:2z9z6hcr]
 and  in mongo:
[code:2z9z6hcr]{ "_id" : ObjectId("530df8447f4bb1249f3bb319"),
"hostname" : "dev1", "timereported" : "Feb 26 14:20:52",
"timegenerated" : "Feb 26 14:20:52", "msg" : " \"2014-02-26
14:20:52.514562\", \"pid\": 16303, \"module\":
\"/home/dom/code/Controller/controller.py\", \"host\":
\"dev1.domain.com\", \"user\": \"dom\", \"frame2\": null,
\"frame1\": null, \"message_type\": \"cpu\", \"token\":
\"2708fee4059d458870a2434360a9c2aed81dc748\", \"type\": \"testlog\",
\"cpu\": 0.38}", "syslogfacility" : "1", "syslogseverity" :
"6", "syslogtag" : "{\"timestamp\":", "programname" :
"{\"timestamp\"", "procid" : "-", "syslogpriority-text" : "info" }
[/code:2z9z6hcr]

As you can see I have the various 'parts' of the JSON encoded message being
loaded into a single 'msg:' field in Mongo.

After much googling I have been unable to parse this in rsyslog so that it
is 'properly' represented in mongo.

Any help would be greatly appreciated.


Dom

More information about the rsyslog-notify mailing list