Differences between revisions 1 and 2

Linux/Rsyslog/Json

Links Json Format
Why ? Structured fields.

Parse incoming json

Msg should start with CEE: { }

Use module mmjsonparse

module(load="mmjsonparse") #for parsing CEE-enhanced syslog messages
#try to parse a structured log
*.* :mmjsonparse:

e.g. json log

# logger ‘@cee: {“foo”: “bar”, “foo2”: “bar2″}’

Template to generate json msg

Template basic

#define a template to print all fields of the message
template(name="messageToES" type="list") {
  property(name="$!all-json")
}

Template custom

template(name="customTemplate" type="list") {
   constant(value="{\"timestamp\":\"")
   property(name="timereported" dateFormat="rfc3339")
   constant(value="\",\"syslogtag\":\"")
   property(name="syslogtag" format="json")
#- close the quotes for syslogtag
#- add a comma
#- then add our JSON-formatted syslog message,
# but start from the 2nd position to omit the left
# curly bracket, continue json.
   constant(value="\",")
   property(name="$!all-json" position.from="2")
}

Json size

Maybe increase max msg size from default 8k with
```
$MaxMessageSize 64k
```

-  ⇤ ← Revision 1 as of 2022-01-24 10:46:15 → 
  Size: 376
  Editor: PieterSmit
  Comment:
+   ← Revision 2 as of 2022-01-24 11:05:48 → ⇥
  Size: 1316
  Editor: PieterSmit
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 2:
+ * Links  [[https://techpunch.co.uk/development/how-to-shop-json-logs-via-rsyslog|Json Format]]
 Line 12:
- [[https://techpunch.co.uk/development/how-to-shop-json-logs-via-rsyslog|Json Format]]
+ * e.g. json log {{{
# logger ‘@cee: {“foo”: “bar”, “foo2”: “bar2″}’
}}}



== Template to generate json msg ==
 * Template basic {{{
#define a template to print all fields of the message
template(name="messageToES" type="list") {
  property(name="$!all-json")
}
   }}}

 * Template custom {{{
template(name="customTemplate" type="list") {
   constant(value="{\"timestamp\":\"")
   property(name="timereported" dateFormat="rfc3339")
   constant(value="\",\"syslogtag\":\"")
   property(name="syslogtag" format="json")
#- close the quotes for syslogtag
#- add a comma
#- then add our JSON-formatted syslog message,
# but start from the 2nd position to omit the left
# curly bracket, continue json.
   constant(value="\",")
   property(name="$!all-json" position.from="2")
}
}}}


== Json size ==
 * Maybe increase max msg size from default 8k with {{{
$MaxMessageSize 64k
   }}}