Class: Log2Json::Filters::SyslogFilter

Inherits:

GrokFilter

• Object
• GrokFilter
• Log2Json::Filters::SyslogFilter

Defined in:

lib/log2json/filters/syslog.rb

Overview

A default syslog filter. This works the rsyslog and its default configuration as distributed with Ubuntu 12.04 LTS.

It also assumes your syslog timestamp is in UTC. To make sure, add the following line to /etc/default/rsyslog:

export TZ=UTC

and then restart rsyslog.(ie, sudo service restart rsyslog) Other settings for rsyslog you might want to adjust includes:

MaxMessageSize 64k # Increase the message size allowed to 64k (default is like 2k… or something.)

$IMUXSockRateLimitInterval 0 # Disable rate limiting, so we are sure to get every single message logged.

# Note: Add it after $ModLoad imuxsock

Constant Summary

Constants inherited from GrokFilter

GrokFilter::CONFIG, GrokFilter::DEFAULT_PATTERNS

Instance Attribute Summary

Attributes inherited from GrokFilter

#name, #type

Instance Method Summary

• #filter(record) ⇒ Object
• #initialize(name, config = {}) ⇒ SyslogFilter constructor

  A new instance of SyslogFilter.

Constructor Details

#initialize(name, config = {}) ⇒ SyslogFilter

Returns a new instance of SyslogFilter.

# File 'lib/log2json/filters/syslog.rb', line 28

def initialize(name, config={})
  type = config.delete(:type) {'syslog'}
  super(type, name, [
    %w[ %{SYSLOGTIMESTAMP:syslog_timestamp}
        %{SYSLOGHOST:syslog_hostname}?
        %{PROG:syslog_program}(?:\\\[%{POSINT:syslog_pid}\\\])?:
        %{GREEDYDATA:syslog_message}
      ].join(' ')], config
  )
end

Instance Method Details

#filter(record) ⇒ Object

# File 'lib/log2json/filters/syslog.rb', line 39

def filter(record)
  return nil if super(record).nil?
  record['@received_at'] = record['@timestamp']
  record['@received_from'] = record['@source_host']

  fields = record['@fields']

  fields['syslog_timestamp'] += '+0000'
  record['@timestamp'] = DateTime.strptime(fields["syslog_timestamp"], "%b %e %T%z") # eg, Apr 12 15:55:28+0000

  record['@source_host'] = fields['syslog_hostname']
  record['@message'] = fields['syslog_message'].gsub(/#012/, "\n")
  record['@tags'] << fields['syslog_program']
  fields.each_key { |k| fields.delete(k) if k.start_with?('syslog_') }
  record
end