[rsyslog] Best strategy to parse json logs and forward them in RFC 5424 format

Thu, 23 Nov 2017 00:57:48 -0800 

Hi all,

 I need to forward to a FreeBSD's central log server (syslog-ng based)
several json formatted logs. These json logs don't follow a fixed
structure. For example:

{"source.ip": "98.124.251.167", "classification.type": "malware",
"source.as_name": "ENOMAS1 - eNom, Incorporated, US",
"time.observation": "2017-11-21T14:56:55+00:00",
"classification.taxonomy": "malicious code", "source.registry":
"ARIN", "raw": "UFJJTUFSWSAzb3ZlcnBhci5jb20gYmxvY2tlZGRvbWFpbi5ob3N0cw==",
"source.fqdn": "3overpar.com", "source.asn": 21740,
"source.geolocation.cc": "US", "time.source":
"2017-11-20T00:00:00+00:00", "event_description.url":
"http://malc0de.com/database/index.php?search=3overpar.com";,
"source.allocated": "2008-06-17T00:00:00+00:00", "source.network":
"98.124.251.0/24", "feed.name": "Generic URL Fetcher is the bot
responsible to get the report from an URL.", "feed.provider":
"Malc0de", "feed.url": "https://malc0de.com/bl/BOOT";, "feed.accuracy":
100.0}

 And others:

{"classification.type": "spam", "time.source":
"2017-11-21T03:21:03+00:00", "feed.accuracy": 100.0,
"time.observation": "2017-11-21T14:57:03+00:00",
"classification.taxonomy": "abusive content", "source.network":
"49.13.0.0/16", "feed.name": "Spamhaus Drop", "feed.provider":
"Spamhaus", "feed.url": "https://www.spamhaus.org/drop/drop.txt";,
"raw": "NDkuMTMuMC4wLzE2IDsgU0JMMzgxNTQy", "extra": "{\"blocklist\":
\"SBL381542\"}"}

 I am trying to manage using the following template:

template(name="logstash"
        type="list"
        option.json="on") {
        constant(value="{")
  constant(value="\"source.ip\":\"")
  constant(value="\"classification.type\":\"")
  constant(value="\"source.as_name\":\"")
        constant(value="\"time.observation\":\"")
        property(name="timereported" dateFormat="rfc3339")
        constant(value="\",\"message\":\"")
        property(name="msg")
        constant(value="\"}")
}

 But message is truncated. On the other side, how can I apply two
templates to omfile (one for json input and other to test output) or
instead of this, apply one json template to imfile and another
template to omfile module?

My host is a CentOS 7.4 fully patched and rsyslog release is 8.30.0
installed from rsyslog's repo.

Thanks.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to