Use this documentation with care! It describes the outdated version 7, which was actively developed around 2014 and is considered dead by the rsyslog team.

This documentation reflects the latest update of the v7-stable branch. It describes the 7.6.8 version, which was never released. As such, it contains some content that does not apply to any released version.

To obtain the doc that properly matches your installed v7 version, obtain the doc set from your distro. Each version of rsyslog contained the version that exactly matches it.

As general advise, it is strongly suggested to upgrade to the current version supported by the rsyslog project. The current version can always be found on the right-hand side info box on the rsyslog web site.

Note that there is only limited rsyslog community support available for the outdated v7 version (officially we do not support it at all, but we usually are able to answer simple questions). If you need to stick with v7, it probably is best to ask your distribution for support.

back

RFC5424 structured data parsing module (mmpstrucdata)

Module Name:    mmpstrucdata

Author:Rainer Gerhards <rgerhards@adiscon.com>

Available since: 7.5.4

Description:

The mmpstrucdata parses RFC5424 structured data into the message json variable tree. The data parsed, if available, is stored under “jsonRoot!rfc5424-sd!…”.

Module Configuration Parameters:

Currently none.

Action Confguration Parameters:

  • jsonRoot - default “!”
    Specifies into which json container the data shall be parsed to.

See Also

Caveats/Known Bugs:

  • this module is currently experimental; feedback is appreciated
  • property names are treated case-insensitive in rsyslog. As such, RFC5424 names are treated case-insensitive as well. If such names only differ in case (what is not recommended anyways), problems will occur.
  • structured data with duplicate SD-IDs and SD-PARAMS is not properly processed

Samples:

In this snippet, we parse the message and emit all json variable to a file with the message anonymized. Note that once mmpstrucdata has run, access to the original message is no longer possible (execept if stored in user variables before anonymization).

module(load=”mmpstrucdata”) action(type=”mmpstrucdata”) template(name=”jsondump” type=”string” string=”%msg%: %$!%\n”) action(type=”omfile” file=”/path/to/log” template=”jsondump”)

A more practical one:

Take this example message (inspired by RFC5424 sample;)):

<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][id@2 test="tast"] BOM'su root' failed for lonvick on /dev/pts/8

We apply this configuration:

module(load=”mmpstrucdata”) action(type=”mmpstrucdata”) template(name=”sample2” type=”string” string=”ALL: %$!%\nSD: %$!RFC5424-SD%\nIUT:%$!rfc5424-sd!exampleSDID@32473!iut%\nRAWMSG: %rawmsg%\n\n”) action(type=”omfile” file=”/path/to/log” template=”sample2”)

This will output:

ALL: { "rfc5424-sd": { "examplesdid@32473": { "iut": "3", "eventsource": "Application", "eventid": "1011" }, "id@2": { "test": "tast" } } } SD: { "examplesdid@32473": { "iut": "3", "eventsource": "Application", "eventid": "1011" }, "id@2": { "test": "tast" } } IUT:3 RAWMSG: <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][id@2 test="tast"] BOM'su root' failed for lonvick on /dev/pts/8

As you can seem, you can address each of the individual items. Note that the case of the RFC5424 parameter names has been converted to lower case.

[rsyslog.conf overview] [manual index] [rsyslog site]

This documentation is part of the rsyslog project. Copyright © 2013 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 3 or higher.

Previous topic

Log Message Normalization Module

Next topic

mmrfc5424addhmac

This Page