Hi, "Jacek Drewniak" <jacek.drewniak@oort.in> írta 2015-08-14 14:40-kor:
I am new in logging world. I am formating my logs according to: https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g...
I am using *syslog* protocol.
For example I am logging this: http://pastebin.com/4UtUYiJJ But it is parsed to fields (I can see this on kibana) : http://pastebin.com/cNX8PZJp
Can You tell me what I am doing wrong?
Your format is not exactly the ietf syslog protocol's format. The beginning is okay, but: <15>1 2015-08-14T12:33:53Z jackahub oortApp - - Until this point it seems okay. And now the real but: "{_SDATA:{meta:{sequenceId:jackaSEQ,hubId:123456789}}" should be formatted in this way: [meta sequenceId="jackaSEQ" hubId="123456789"] Assuming that the "[TIMER]" part is also part of the message. Also, please care about the transport protocol. Eg. if your transfer this over tcp/tls channel, then you have to prefix the whole with the length of this message in bytes eg. print SOCK "".length($message)." ".$message; Cheers, Gyu