[syslog-ng] Parsing Messages for Elasticsearch
Scheidler, Balázs
balazs.scheidler at balabit.com
Wed Dec 21 12:43:02 UTC 2016
Hi,
This article discusses parsing plus elastic, albeit it does use db-parser()
for the parsing piece, where you probably want to use kv-parser() as Fabien
has mentioned.
https://www.balabit.com/blog/how-to-parse-data-with-syslog-ng-store-in-elasticsearch-and-analyze-with-kibana/
--
Bazsi
On Wed, Dec 21, 2016 at 12:52 PM, Fabien Wernli <wernli at in2p3.fr> wrote:
> Hi Tim,
>
> On Wed, Dec 21, 2016 at 11:47:46AM +0000, Jentz, Tim wrote:
> > I thought the nv-pairs scope would do the trick but it doesn't seem to
> have any effect on the message. Any idea what I'm doing wrong here or can
> syslog-ng not accomplish what I want to do at all?
>
> No, the `format-json()` function will merely generate JSON for all the
> syslog-ng macros, e.g. MESSAGE. But your key=value stings are inside the
> MESSAGE macro, and for them to be extracted you need to parse the content
> of
> MESSAGE.
>
> Luckily for you there's the `kv-parser()` which will do just that:
>
> https://www.balabit.com/documents/syslog-ng-ose-
> latest-guides/en/syslog-ng-ose-guide-admin/html/key-value-parser.html
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20161221/e9c6bc07/attachment.html>
More information about the syslog-ng
mailing list