• Linux
• Rsyslog
• Json

Linux/Rsyslog/Json

• Links Json Format

• Why ? Structured fields.

Parse incoming json

• Msg should start with  CEE: { } 

• Use module mmjsonparse

  module(load="mmjsonparse") #for parsing CEE-enhanced syslog messages
  #try to parse a structured log
  *.* :mmjsonparse:

• e.g. json log

  # logger ‘@cee: {“foo”: “bar”, “foo2”: “bar2″}’

Template to generate json msg

• Template basic

  #define a template to print all fields of the message
  template(name="messageToES" type="list") {
    property(name="$!all-json")
  }

• Template custom

  template(name="customTemplate" type="list") {
     constant(value="{\"timestamp\":\"")
     property(name="timereported" dateFormat="rfc3339")
     constant(value="\",\"syslogtag\":\"")
     property(name="syslogtag" format="json")
  #- close the quotes for syslogtag
  #- add a comma
  #- then add our JSON-formatted syslog message,
  # but start from the 2nd position to omit the left
  # curly bracket, continue json.
     constant(value="\",")
     property(name="$!all-json" position.from="2")
  }

Json size

• Maybe increase max msg size from default 8k with

  $MaxMessageSize 64k