From 6ec2a6f4232c8bd6ff2769b1b1d324d4f9e78c80 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 24 Jun 2013 10:50:04 +0200 Subject: mmfields: add "jsonRoot" parameter --- ChangeLog | 1 + doc/mmfields.html | 19 +++++++++++++++---- plugins/mmfields/mmfields.c | 15 ++++++++++++--- 3 files changed, 28 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index f527159a..3d1ea571 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ --------------------------------------------------------------------------- Version 7.5.1 [devel] 2013-06-?? +- add mmfields, which among others supports easy parsing of CEF messages - omrelp: * new parameter "compression.prioritystring" to control encryption parameters used by GnuTLS diff --git a/doc/mmfields.html b/doc/mmfields.html index 9c6e6724..885d6bca 100644 --- a/doc/mmfields.html +++ b/doc/mmfields.html @@ -51,23 +51,34 @@ functionality only if there is a real use case behind the request (in the past we too-often implemented things that actually never got used).
The fields are named fnbr, where nbr is the field number starting with one and being incremented for each field. +
  • jsonRoot - path (default "!")
    +This parameters specifies into which json path the extracted fields shall +be written. The default is to use the json root object itself.

    Caveats/Known Bugs:

    Samples:

    This is a very simple use case where each message is -parsed. +parsed. The default separator character of comma is being used.

    +

    The following sample is similar to the previous one, but +this time the colon is used as separator and data is written +into the "$!mmfields" json path. +

    +

    [rsyslog.conf overview] [manual index] [rsyslog site]

    diff --git a/plugins/mmfields/mmfields.c b/plugins/mmfields/mmfields.c index 99c78916..fa7fa100 100644 --- a/plugins/mmfields/mmfields.c +++ b/plugins/mmfields/mmfields.c @@ -53,6 +53,7 @@ DEF_OMOD_STATIC_DATA #define REWRITE_MODE 1 /* rewrite IP address, canoninized */ typedef struct _instanceData { char separator; + uchar *jsonRoot; /**< container where to store fields */ } instanceData; struct modConfData_s { @@ -65,7 +66,8 @@ static modConfData_t *runModConf = NULL;/* modConf ptr to use for the current ex /* tables for interfacing with the v6 config system */ /* action (instance) parameters */ static struct cnfparamdescr actpdescr[] = { - { "separator", eCmdHdlrGetChar, 0 } + { "separator", eCmdHdlrGetChar, 0 }, + { "jsonroot", eCmdHdlrString, 0 } }; static struct cnfparamblk actpblk = { CNFPARAMBLK_VERSION, @@ -109,6 +111,7 @@ ENDisCompatibleWithFeature BEGINfreeInstance CODESTARTfreeInstance + free(pData->jsonRoot); ENDfreeInstance @@ -116,6 +119,7 @@ static inline void setInstParamDefaults(instanceData *pData) { pData->separator = ','; + pData->jsonRoot = NULL; } BEGINnewActInst @@ -137,11 +141,16 @@ CODESTARTnewActInst continue; if(!strcmp(actpblk.descr[i].name, "separator")) { pData->separator = es_getBufAddr(pvals[i].val.d.estr)[0]; + } else if(!strcmp(actpblk.descr[i].name, "jsonroot")) { + pData->jsonRoot = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); } else { dbgprintf("mmfields: program error, non-handled " "param '%s'\n", actpblk.descr[i].name); } } + if(pData->jsonRoot == NULL) { + CHKmalloc(pData->jsonRoot = (uchar*) strdup("!")); + } CODE_STD_FINALIZERnewActInst cnfparamvalsDestruct(pvals, &actpblk); @@ -203,13 +212,13 @@ parse_fields(instanceData *pData, msg_t *pMsg, uchar *msgtext, int lenMsg) while(currIdx < lenMsg) { CHKiRet(extractField(pData, msgtext, lenMsg, &currIdx, buf)); DBGPRINTF("mmfields: field %d: '%s'\n", field, buf); - snprintf(fieldname, sizeof(fieldname), "f%d", (char*)field); + snprintf((char*)fieldname, sizeof(fieldname), "f%d", field); fieldname[sizeof(fieldname)-1] = '\0'; jval = json_object_new_string((char*)fieldbuf); json_object_object_add(json, (char*)fieldname, jval); field++; } - msgAddJSON(pMsg, (uchar*)"!", json); + msgAddJSON(pMsg, pData->jsonRoot, json); finalize_it: RETiRet; } -- cgit v1.2.3