diff options
Diffstat (limited to 'doc/mmpstrucdata.html')
| -rw-r--r-- | doc/mmpstrucdata.html | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/doc/mmpstrucdata.html b/doc/mmpstrucdata.html index b4003062..8197d94a 100644 --- a/doc/mmpstrucdata.html +++ b/doc/mmpstrucdata.html @@ -13,6 +13,7 @@ <p><b>Description</b>:</p> <p>The mmpstrucdata parses RFC5424 structured data into the message json variable tree. +The data parsed, if available, is stored under "jsonRoot!rfc5424-sd!...". <p> </p> <p><b>Module Configuration Parameters</b>:</p> @@ -33,6 +34,10 @@ Specifies into which json container the data shall be parsed to. <p><b>Caveats/Known Bugs:</b> <ul> <li>this module is currently experimental; feedback is appreciated +<li>property names are treated case-insensitive in rsyslog. As such, +RFC5424 names are treated case-insensitive as well. If such names +only differ in case (what is not recommended anyways), problems will +occur. <li>structured data with duplicate SD-IDs and SD-PARAMS is not properly processed </ul> @@ -48,6 +53,24 @@ template(name="jsondump" type="string" string="%msg%: %$!%\n") action(type="omfile" file="/path/to/log" template="jsondump") </textarea> +<p><b>A more practical one:</b> +<p>Take this example message (inspired by RFC5424 sample;)): +<p><code><34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][id@2 test="tast"] BOM'su root' failed for lonvick on /dev/pts/8</code> +<p>We apply this configuration: +<p><textarea rows="6" cols="120">module(load="mmpstrucdata") +action(type="mmpstrucdata") +template(name="sample2" type="string" + string="ALL: %$!%\nSD: %$!RFC5424-SD%\nIUT:%$!rfc5424-sd!exampleSDID@32473!iut%\nRAWMSG: %rawmsg%\n\n") +action(type="omfile" file="/path/to/log" template="sample2") +</textarea> +<p>This will output: +<p><code>ALL: { "rfc5424-sd": { "examplesdid@32473": { "iut": "3", "eventsource": "Application", "eventid": "1011" }, "id@2": { "test": "tast" } } }</br> +SD: { "examplesdid@32473": { "iut": "3", "eventsource": "Application", "eventid": "1011" }, "id@2": { "test": "tast" } }</br> +IUT:3</br> +RAWMSG: <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][id@2 test="tast"] BOM'su root' failed for lonvick on /dev/pts/8</code> +<p>As you can seem, you can address each of the individual items. Note that the +case of the RFC5424 parameter names has been converted to lower case. + <p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] [<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> <p><font size="2">This documentation is part of the |