<div dir="auto"><div>Hi!<div dir="auto"><br></div><div dir="auto">For a quick idea, you can start syslog-ng in debug mode where you can see details about the message parsing. You will see if the parsing or the template had problems.</div><div dir="auto"><br></div><div dir="auto">You need to start syslog-ng with the -dv options to do that.</div><br>Regards,</div><div dir="auto">Gábor</div><div dir="auto"><br><div class="gmail_quote" dir="auto"><div dir="ltr">On Wed, 17 Oct 2018, 18:05 Michael Niemand, <<a href="mailto:michael.niemand@gmail.com">michael.niemand@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I can’t get JSON parsing to work. I’ve consulted the documentation and Google but with no luck.<br>
<br>
I have an app, that puts out simple json log messages like:<br>
<br>
{"level":"error","message":"connection ended without disconnect receipt","timestamp":"2018-10-12T17:49:08.650Z"}<br>
<br>
All I want to do, is parse these 3 values and send them to a hosted Graylog cluster. Sending works, but the message gets inserted as<br>
<br>
application name: {"level"<br>
message: "error","message":"connection ended without disconnect receipt","timestamp":"2018-10-12T17:49:08.650Z"}<br>
<br>
it's almost like syslog-ng doesn't even interpret the file as json. I tried different variants but I am at my wits end now...<br>
<br>
This is my config (on the application host; it should send the logs directly to the logging cluster)<br>
<br>
@version: 3.5<br>
@include "scl.conf"<br>
@include "`scl-root`/system/tty10.conf"<br>
<br>
options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);<br>
owner("root"); group("adm"); perm(0640); stats_freq(0);<br>
bad_hostname("^gconfd$");<br>
};<br>
<br>
source s_src { <br>
file(<br>
“/var/log/worker/error.log"<br>
flags(no-parse)<br>
);<br>
};<br>
<br>
template unitManagerTemplate {<br>
template("$(format-json --scope dot-nv-pairs) [sdid@123456 X-OVH-TOKEN=\"XXXXXXXXXXXXXXXXXXXXXXXXXX\"\n");<br>
};<br>
<br>
destination ovhPaaSLogs {<br>
tcp("<a href="http://gra2.logs.ovh.com" rel="noreferrer noreferrer" target="_blank">gra2.logs.ovh.com</a>"<br>
port(6514),<br>
template(unitManagerTemplate),<br>
ts_format("iso"),<br>
tls(peer-verify("require-trusted") ca_dir("/etc/ssl/certs/")),<br>
keep-alive(yes),<br>
so_keepalive(yes),<br>
);<br>
};<br>
<br>
parser p_json { <br>
json-parser(prefix(".json.")); <br>
};<br>
<br>
log {<br>
source(s_src);<br>
parser(p_json);<br>
destination(ovhPaaSLogs);<br>
};<br>
<br>
@include "/etc/syslog-ng/conf.d/"<br>
<br>
<br>
I also tried a different a template variant like this:<br>
<br>
template("${.json.level} ${.json.message} ${.json.timestamp} [sdid@123456 X-OVH-TOKEN=\"XXXXXXXXXXXXXXXXXXXXXXXXXX\"\n”);<br>
<br>
I also tried parsing the messages as text:<br>
<br>
template("{\"level\":\"${PRIORITY}\",\"message\":\"${MSG}\",\"timestamp\":\"${ISODATE}\"} - [sdid@32473 X-OVH-TOKEN=\"XXXXXXXXXXXXXXXXXXXXXXXXXX\" pid=\"${PID}\" facility=\"${FACILITY}\" priority=\"${PRIORITY}\"] ${MSG}\n");<br>
<br>
What shows up in Graylog is absolutely identical (like described in the beginning). In fact, every variant that I tried changed absolutely nothing. The conf.d folder is empty though.<br>
I’d appreciate any help!<br>
<br>
<br>
Best regards,<br>
<br>
Michael<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div></div></div>