--
Jacek Drewniak
R&D

mobile: +48 696 151 670

AWARDS

Bluetooth Breakthrough Award Finalist
CES 2015 Envisioneering Innovation & Design Award Winner
Tech Trailblazers Awards Winner
Most exciting company at Bluetooth Media Event in New York 2014
Polish Agency for Enterprise Development Award Winner

2015-08-14 15:10 GMT+02:00 PÁSZTOR György <pasztor@linux.gyakg.u-szeged.hu>:

Hi,

"Jacek Drewniak" <jacek.drewniak@oort.in> írta 2015-08-14 14:40-kor:
> I am new in logging world.
> I am formating my logs according to:
> https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/concepts-message-ietfsyslog.html
>
>
> I am using *syslog* protocol.
>
> For example I am logging this: http://pastebin.com/4UtUYiJJ
> But it is parsed to fields (I can see this on kibana) :
> http://pastebin.com/cNX8PZJp
>
> Can You tell me what I am doing wrong?

Your format is not exactly the ietf syslog protocol's format.
The beginning is okay, but:
<15>1 2015-08-14T12:33:53Z jackahub oortApp - -

Until this point it seems okay.
And now the real but:
"{_SDATA:{meta:{sequenceId:jackaSEQ,hubId:123456789}}"
should be formatted in this way:
[meta sequenceId="jackaSEQ" hubId="123456789"]

Assuming that the "[TIMER]" part is also part of the message.

Also, please care about the transport protocol.
Eg. if your transfer this over tcp/tls channel, then you have to prefix the
whole with the length of this message in bytes eg.
print SOCK "".length($message)." ".$message;

Cheers,
Gyu

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq