diff options
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | doc/mmfields.html | 19 | ||||
| -rw-r--r-- | plugins/mmfields/mmfields.c | 15 |
3 files changed, 28 insertions, 7 deletions
@@ -1,5 +1,6 @@ --------------------------------------------------------------------------- Version 7.5.1 [devel] 2013-06-?? +- add mmfields, which among others supports easy parsing of CEF messages - omrelp: * new parameter "compression.prioritystring" to control encryption parameters used by GnuTLS diff --git a/doc/mmfields.html b/doc/mmfields.html index 9c6e6724..885d6bca 100644 --- a/doc/mmfields.html +++ b/doc/mmfields.html @@ -51,23 +51,34 @@ functionality only if there is a real use case behind the request (in the past we too-often implemented things that actually never got used). <br>The fields are named f<i>nbr</i>, where <i>nbr</i> is the field number starting with one and being incremented for each field. +<li><b>jsonRoot</b> - path (default "!")<br> +This parameters specifies into which json path the extracted fields shall +be written. The default is to use the json root object itself. </ul> <p><b>Caveats/Known Bugs:</b> <ul> -<li>Currently, all fields are written directly into the Lumberjack root. The -default separator character of comma is being used. +<li>Currently none. </ul> <p><b>Samples:</b></p> <p>This is a very simple use case where each message is -parsed. +parsed. The default separator character of comma is being used. <p><textarea rows="5" cols="60">module(load="mmfields") -template(name="ftpl" type=string string="%$!all-json") +template(name="ftpl" type=string string="%$!%\n") action(type="omfields") action(type="omfile" file="/path/to/logfile" template="ftpl") </textarea> +<p>The following sample is similar to the previous one, but +this time the colon is used as separator and data is written +into the "$!mmfields" json path. +<p><textarea rows="5" cols="60">module(load="mmfields") +template(name="ftpl" type=string string="%$!%\n") +action(type="omfields" separator=":" jsonRoot="!mmfields") +action(type="omfile" file="/path/to/logfile" template="ftpl") +</textarea> + <p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] [<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> diff --git a/plugins/mmfields/mmfields.c b/plugins/mmfields/mmfields.c index 99c78916..fa7fa100 100644 --- a/plugins/mmfields/mmfields.c +++ b/plugins/mmfields/mmfields.c @@ -53,6 +53,7 @@ DEF_OMOD_STATIC_DATA #define REWRITE_MODE 1 /* rewrite IP address, canoninized */ typedef struct _instanceData { char separator; + uchar *jsonRoot; /**< container where to store fields */ } instanceData; struct modConfData_s { @@ -65,7 +66,8 @@ static modConfData_t *runModConf = NULL;/* modConf ptr to use for the current ex /* tables for interfacing with the v6 config system */ /* action (instance) parameters */ static struct cnfparamdescr actpdescr[] = { - { "separator", eCmdHdlrGetChar, 0 } + { "separator", eCmdHdlrGetChar, 0 }, + { "jsonroot", eCmdHdlrString, 0 } }; static struct cnfparamblk actpblk = { CNFPARAMBLK_VERSION, @@ -109,6 +111,7 @@ ENDisCompatibleWithFeature BEGINfreeInstance CODESTARTfreeInstance + free(pData->jsonRoot); ENDfreeInstance @@ -116,6 +119,7 @@ static inline void setInstParamDefaults(instanceData *pData) { pData->separator = ','; + pData->jsonRoot = NULL; } BEGINnewActInst @@ -137,11 +141,16 @@ CODESTARTnewActInst continue; if(!strcmp(actpblk.descr[i].name, "separator")) { pData->separator = es_getBufAddr(pvals[i].val.d.estr)[0]; + } else if(!strcmp(actpblk.descr[i].name, "jsonroot")) { + pData->jsonRoot = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); } else { dbgprintf("mmfields: program error, non-handled " "param '%s'\n", actpblk.descr[i].name); } } + if(pData->jsonRoot == NULL) { + CHKmalloc(pData->jsonRoot = (uchar*) strdup("!")); + } CODE_STD_FINALIZERnewActInst cnfparamvalsDestruct(pvals, &actpblk); @@ -203,13 +212,13 @@ parse_fields(instanceData *pData, msg_t *pMsg, uchar *msgtext, int lenMsg) while(currIdx < lenMsg) { CHKiRet(extractField(pData, msgtext, lenMsg, &currIdx, buf)); DBGPRINTF("mmfields: field %d: '%s'\n", field, buf); - snprintf(fieldname, sizeof(fieldname), "f%d", (char*)field); + snprintf((char*)fieldname, sizeof(fieldname), "f%d", field); fieldname[sizeof(fieldname)-1] = '\0'; jval = json_object_new_string((char*)fieldbuf); json_object_object_add(json, (char*)fieldname, jval); field++; } - msgAddJSON(pMsg, (uchar*)"!", json); + msgAddJSON(pMsg, pData->jsonRoot, json); finalize_it: RETiRet; } |