1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<meta http-equiv="Content-Language" content="en">
<title>RFC5424 structured data parsing module (mmpstrucdata)</title></head>
<body>
<a href="rsyslog_conf_modules.html">back</a>
<h1>RFC5424 structured data parsing module (mmpstrucdata)</h1>
<p><b>Module Name: mmpstrucdata</b></p>
<p><b>Author: </b>Rainer Gerhards <rgerhards@adiscon.com></p>
<p><b>Available since</b>: 7.5.4</p>
<p><b>Description</b>:</p>
<p>The mmpstrucdata parses RFC5424 structured data into the message
json variable tree.
The data parsed, if available, is stored under "jsonRoot!rfc5424-sd!...".
<p> </p>
<p><b>Module Configuration Parameters</b>:</p>
<p>Currently none.
<p> </p>
<p><b>Action Confguration Parameters</b>:</p>
<ul>
<li><b>jsonRoot</b> - default "!"<br>
Specifies into which json container the data shall be parsed to.
</ul>
<p><b>See Also</b>
<ul>
<li><a href="http://www.rsyslog.com/howto-anonymize-messages-that-go-to-specific-files/">Howto anonymize messages that go to specific files</a>
</ul>
<p><b>Caveats/Known Bugs:</b>
<ul>
<li>this module is currently experimental; feedback is appreciated
<li>property names are treated case-insensitive in rsyslog. As such,
RFC5424 names are treated case-insensitive as well. If such names
only differ in case (what is not recommended anyways), problems will
occur.
<li>structured data with duplicate SD-IDs and SD-PARAMS is not
properly processed
</ul>
<p><b>Samples:</b></p>
<p>In this snippet, we parse the message and emit all json variable to a file
with the message anonymized. Note that once mmpstrucdata has run, access to the
original message is no longer possible (execept if stored in user
variables before anonymization).
<p><textarea rows="5" cols="60">module(load="mmpstrucdata")
action(type="mmpstrucdata")
template(name="jsondump" type="string" string="%msg%: %$!%\n")
action(type="omfile" file="/path/to/log" template="jsondump")
</textarea>
<p><b>A more practical one:</b>
<p>Take this example message (inspired by RFC5424 sample;)):
<p><code><34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][id@2 test="tast"] BOM'su root' failed for lonvick on /dev/pts/8</code>
<p>We apply this configuration:
<p><textarea rows="6" cols="120">module(load="mmpstrucdata")
action(type="mmpstrucdata")
template(name="sample2" type="string"
string="ALL: %$!%\nSD: %$!RFC5424-SD%\nIUT:%$!rfc5424-sd!exampleSDID@32473!iut%\nRAWMSG: %rawmsg%\n\n")
action(type="omfile" file="/path/to/log" template="sample2")
</textarea>
<p>This will output:
<p><code>ALL: { "rfc5424-sd": { "examplesdid@32473": { "iut": "3", "eventsource": "Application", "eventid": "1011" }, "id@2": { "test": "tast" } } }</br>
SD: { "examplesdid@32473": { "iut": "3", "eventsource": "Application", "eventid": "1011" }, "id@2": { "test": "tast" } }</br>
IUT:3</br>
RAWMSG: <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][id@2 test="tast"] BOM'su root' failed for lonvick on /dev/pts/8</code>
<p>As you can seem, you can address each of the individual items. Note that the
case of the RFC5424 parameter names has been converted to lower case.
<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] [<a href="manual.html">manual
index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
<p><font size="2">This documentation is part of the
<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
Copyright © 2013 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL
version 3 or higher.</font></p>
</body></html>
|
