<div dir="ltr"><div><div><div>I think Fabien is right, but maybe some more hints could help you. So, yes, json-parser() is responsible for parsing messages out-of your log file, it simply sets a number of name-value pairs based on the input.<br><br></div><div>log {<br></div><div> source {<br> file("/var/log/app.log");<br> };<br></div><div> parser { json-parser(); };<br></div><div> destination { tcp("logcollector" template("<font color="#000000"><span style="font-size:12.8px">"$(format-json --pair newfield=\"value\")"</span></font><span style="font-size:12.8px;color:rgb(0,0,0)">)); };<br></span></div><div><br></div><div>};<br></div><div><br></div>If you don't want to specify template towards your log collector explicitly, you can also rewrite the $MSG name-value pair:<br><br></div>rewrite { set(<font color="#000000"><span style="font-size:12.8px">"$(format-json --pair newfield=\"value\")"</span></font><span style="font-size:12.8px;color:rgb(0,0,0)"> value('MSG')); };<br><br></span></div><span style="font-size:12.8px;color:rgb(0,0,0)">This way, your collector destination may find a properly json formatted message that it can send out without using a specific template string.<br></span><div><div><div><br></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Sun, Sep 4, 2016 at 2:42 AM, Jorge Pereira <span dir="ltr"><<a href="mailto:jpereiran@gmail.com" target="_blank">jpereiran@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span class=""><span style="color:rgb(0,0,0);font-size:12.8px">Hi team,</span><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div style="color:rgb(0,0,0);font-size:12.8px"> Currently, I receive a jSON log from X, but I would like to append a new field. is it possible?</div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div></span><div style="color:rgb(0,0,0);font-size:12.8px">e.g: I am trying to do something like:</div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div><div><font color="#000000"><span style="font-size:12.8px">log {</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> source {</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> file("/var/log/app.jsonlog"</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> program_override("ng_app")</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> follow_freq(1)</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> flags(no-parse)</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> template("$(format-json --pair newfield=\"value\")"</span></font><span style="font-size:12.8px;color:rgb(0,0,0)">);</span></div><div><font color="#000000"><span style="font-size:12.8px"> );</span></font></div><div><font color="#000000"><span style="font-size:12.8px"> };</span></font></div><div><br></div><div><font color="#000000"><span style="font-size:12.8px"> destination(d_remote_<wbr>collector);</span></font></div><div><font color="#000000"><span style="font-size:12.8px">};</span></font></div></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>