[syslog-ng] Syslog-ng message formating

PÁSZTOR György pasztor at linux.gyakg.u-szeged.hu
Fri Aug 14 15:10:58 CEST 2015


Hi,

"Jacek Drewniak" <jacek.drewniak at oort.in> írta 2015-08-14 14:40-kor:
> I am new in logging world.
> I am formating my logs according to:
> https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/concepts-message-ietfsyslog.html
> 
> 
> I am using *syslog* protocol.
> 
> For example I am logging this: http://pastebin.com/4UtUYiJJ
> But it is parsed to fields (I can see this on kibana) :
> http://pastebin.com/cNX8PZJp
> 
> Can You tell me what I am doing wrong?

Your format is not exactly the ietf syslog protocol's format.
The beginning is okay, but:
<15>1 2015-08-14T12:33:53Z jackahub oortApp - -

Until this point it seems okay.
And now the real but:
"{_SDATA:{meta:{sequenceId:jackaSEQ,hubId:123456789}}"
should be formatted in this way:
[meta sequenceId="jackaSEQ" hubId="123456789"]

Assuming that the "[TIMER]" part is also part of the message.

Also, please care about the transport protocol.
Eg. if your transfer this over tcp/tls channel, then you have to prefix the
whole with the length of this message in bytes eg.
print SOCK "".length($message)." ".$message;

Cheers,
Gyu


More information about the syslog-ng mailing list