I think Fabien is right, but maybe some more hints could help you. So, yes, json-parser() is responsible for parsing messages out-of your log file, it simply sets a number of name-value pairs based on the input. log { source { file("/var/log/app.log"); }; parser { json-parser(); }; destination { tcp("logcollector" template(""$(format-json --pair newfield=\"value\")")); }; }; If you don't want to specify template towards your log collector explicitly, you can also rewrite the $MSG name-value pair: rewrite { set("$(format-json --pair newfield=\"value\")" value('MSG')); }; This way, your collector destination may find a properly json formatted message that it can send out without using a specific template string. -- Bazsi On Sun, Sep 4, 2016 at 2:42 AM, Jorge Pereira <jpereiran@gmail.com> wrote:
Hi team,
Currently, I receive a jSON log from X, but I would like to append a new field. is it possible?
e.g: I am trying to do something like:
log { source { file("/var/log/app.jsonlog" program_override("ng_app") follow_freq(1) flags(no-parse) template("$(format-json --pair newfield=\"value\")"); ); };
destination(d_remote_collector); };
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq