Re: [rsyslog] Template Mystery for me

Wed, 10 Jun 2015 04:13:29 -0700 

Hello,

template(name="lumberjack" type="list") { property(name="$!all-json") }

then with:

 module(load="mmjsonparse")
 action(type="mmjsonparse")

You should have your fields in the "lumberjack" template that you can use
in the omelasticsearch action. The only trouble you may find is with the
timestamp, which is not a proper RFC-3339 timestamp, as far as I can see
(misses timezone info). So you can either use date formats in Elasticsearch
to accept this kind of dates (it will index them as strings otherwise):
https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-date-format.html

Or you can change your data so the timestamp is standard.

Or, you can do that in rsyslog's template (to add a "Z" in the end), but
the template will look uglier.

Best regards,
Radu

--
Performance Monitoring * Log Analytics * Search Analytics
Solr & Elasticsearch Support * http://sematext.com/

On Wed, Jun 10, 2015 at 1:41 PM, Muhammad Asif <[email protected]> wrote:

> Hi Geeks,
>
> Here is my json log.
>
>
> @cee:{"timestamp":"2014-12-29T21:01:13.586962","event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.20.16.93","dest_port":49112,"proto":"UDP"}
>
> Please any write a template for this log to send in Elasticsearch to save
> in separate fields. I remain fail after a lot of efforts.
>
>
> Thanks
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to