Thanks for advises. Now my configs: http://pastebin.com/G6S2YV6S http://pastebin.com/wCVc2hqH Sending log: http://pastebin.com/Euhp1Lmz Now its is parsed: http://pastebin.com/x46pk4FF So this didn't help. Yes, "[TIMER]" part is also part of the message. @Gyu I don't understand this part about length of message . Do You have link to documentation? -- *Jacek Drewniak* R&D *email*: jacek.drewniak@oort.in *mobile*: *+**48 696 151 670* *website*: www.oort.in AWARDS Bluetooth Breakthrough Award Finalist CES 2015 Envisioneering Innovation & Design Award Winner Tech Trailblazers Awards Winner Most exciting company at Bluetooth Media Event in New York 2014 Polish Agency for Enterprise Development Award Winner 2015-08-14 15:10 GMT+02:00 PÁSZTOR György <pasztor@linux.gyakg.u-szeged.hu>:
Hi,
"Jacek Drewniak" <jacek.drewniak@oort.in> írta 2015-08-14 14:40-kor:
I am new in logging world. I am formating my logs according to:
https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g...
I am using *syslog* protocol.
For example I am logging this: http://pastebin.com/4UtUYiJJ But it is parsed to fields (I can see this on kibana) : http://pastebin.com/cNX8PZJp
Can You tell me what I am doing wrong?
Your format is not exactly the ietf syslog protocol's format. The beginning is okay, but: <15>1 2015-08-14T12:33:53Z jackahub oortApp - -
Until this point it seems okay. And now the real but: "{_SDATA:{meta:{sequenceId:jackaSEQ,hubId:123456789}}" should be formatted in this way: [meta sequenceId="jackaSEQ" hubId="123456789"]
Assuming that the "[TIMER]" part is also part of the message.
Also, please care about the transport protocol. Eg. if your transfer this over tcp/tls channel, then you have to prefix the whole with the length of this message in bytes eg. print SOCK "".length($message)." ".$message;
Cheers, Gyu
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq