Log Message Normalization Module
Module Name: mmjsonparse
Available since: 6.6.0+
Author: Rainer Gerhards <firstname.lastname@example.org>
This module provides support for parsing structured log messages that follow the CEE/lumberjack spec. The so-called "CEE cookie" is checked and, if present, the JSON-encoded structured message content is parsed. The properties are than available as original message properties.
The "CEE cookie" is the character squence "@cee:" which must prepend the actual JSON. Note that the JSON must be valid and MUST NOT be followed by any non-JSON message. If either of these conditions is not true, mmjsonparse will not parse the associated JSON. This is based on the cookie definition used in CEE/project lumberjack and is meant to aid against an errornous detection of a message as being CEE where it is not.
This also means that mmjsonparse currently is NOT a generic JSON parser that picks up JSON from whereever it may occur in the message. This is intentional, but future versions may support config parameters to relax the format requirements.
Action specific Configuration Directives:
Legacy Configuration Directives:
none Caveats/Known Bugs:
None known at this time.
This activates the module and applies normalization to all messages:
The same in legacy format: