Hi,

format-json uses the value-pairs syntax, and I agree that the docs is not very clear on that. Here's the right section:

http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#options-value-pairs

You can rename stuff using the --pair argument:

$(format-json --pair name=$VALUE

macro resolution is possible after the equal sign, in fact it is a complete template, that may again contain template functions and such. You might even be interested in rekey() where you can apply simple transformation on

key names automatically:

$(format-json --rekey .cee.* --add-prefix events.)

Hope this helps,

--
Bazsi

On Wed, Jan 28, 2015 at 10:02 AM, Daniel Neubacher <daniel.neubacher@xing.com> wrote:

Hey there,

right now I’m playing around with different json shippers for log files and I’m a bit lost with syslog-ng. I’ve read the docs but I still don’t know how to change the json Fields syslog-ng sends out. In order to get my new Installation approved I have to keep the old field names in mind, for example syslog sends out HOST_FROM but I need source_host. Right now logstash/mutate does the renaming but I don’t like to waste performance there.

My destination:

destination d_logstash_syslog_syslog_new {tcp("consumer.foo.bar" port(6002) template("$(format-json --scope selected_macros --scope nv_pairs)\n") );};

Thanks in advance

Daniel

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq