Class: Log2Json::Filters::SyslogFilter
- Inherits:
-
GrokFilter
- Object
- GrokFilter
- Log2Json::Filters::SyslogFilter
- Defined in:
- lib/log2json/filters/syslog.rb
Overview
A default syslog filter. This works the rsyslog and its default configuration as distributed with Ubuntu 12.04 LTS.
It also assumes your syslog timestamp is in UTC. To make sure, add the following line to /etc/default/rsyslog:
export TZ=UTC
and then restart rsyslog.(ie, sudo service restart rsyslog) Other settings for rsyslog you might want to adjust includes:
MaxMessageSize 64k # Increase the message size allowed to 64k (default is like 2k… or something.)
$IMUXSockRateLimitInterval 0 # Disable rate limiting, so we are sure to get every single message logged.
# Note: Add it after $ModLoad imuxsock
Constant Summary
Constants inherited from GrokFilter
GrokFilter::CONFIG, GrokFilter::DEFAULT_PATTERNS
Instance Attribute Summary
Attributes inherited from GrokFilter
Instance Method Summary collapse
- #filter(record) ⇒ Object
-
#initialize(name, config = {}) ⇒ SyslogFilter
constructor
A new instance of SyslogFilter.
Constructor Details
#initialize(name, config = {}) ⇒ SyslogFilter
Returns a new instance of SyslogFilter.
28 29 30 31 32 33 34 35 36 37 |
# File 'lib/log2json/filters/syslog.rb', line 28 def initialize(name, config={}) type = config.delete(:type) {'syslog'} super(type, name, [ %w[ %{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname}? %{PROG:syslog_program}(?:\\\[%{POSINT:syslog_pid}\\\])?: %{GREEDYDATA:syslog_message} ].join(' ')], config ) end |
Instance Method Details
#filter(record) ⇒ Object
39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
# File 'lib/log2json/filters/syslog.rb', line 39 def filter(record) return nil if super(record).nil? record['@received_at'] = record['@timestamp'] record['@received_from'] = record['@source_host'] fields = record['@fields'] fields['syslog_timestamp'] += '+0000' record['@timestamp'] = DateTime.strptime(fields["syslog_timestamp"], "%b %e %T%z") # eg, Apr 12 15:55:28+0000 record['@source_host'] = fields['syslog_hostname'] record['@message'] = fields['syslog_message'].gsub(/#012/, "\n") record['@tags'] << fields['syslog_program'] fields.each_key { |k| fields.delete(k) if k.start_with?('syslog_') } record end |