[syslog-ng] Parsing Messages for Elasticsearch
Fabien Wernli
wernli at in2p3.fr
Wed Dec 21 11:52:43 UTC 2016
Hi Tim,
On Wed, Dec 21, 2016 at 11:47:46AM +0000, Jentz, Tim wrote:
> I thought the nv-pairs scope would do the trick but it doesn't seem to have any effect on the message. Any idea what I'm doing wrong here or can syslog-ng not accomplish what I want to do at all?
No, the `format-json()` function will merely generate JSON for all the
syslog-ng macros, e.g. MESSAGE. But your key=value stings are inside the
MESSAGE macro, and for them to be extracted you need to parse the content of
MESSAGE.
Luckily for you there's the `kv-parser()` which will do just that:
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/key-value-parser.html
More information about the syslog-ng
mailing list