Az erdekesseg kedveert, ha json formatumban vegig kergetem a forrastol, a relay-en keresztul az ESK syslog-jaig (az egyszeruseg kedveert minden lepesben ugyanazokkal a destination beallitasokkal, de meg json parser nelkul a source vagy log szekcioban), akkor az elastic-ban igy nez ki a MESSAGE field tartalma. (kicsit tordeltem az olvashatosag kedveert)
<13>1 2022-09-19T11:06:07+02:00 192.168.0.123 465 - - -
{
"SOURCE":"s_network","PROGRAM":"465","PRIORITY":"notice",
"MESSAGE":"<13>1 2022-09-19T09:06:07+00:00 x600-device - - - -
{
\"SOURCE\":\"s_system\",\"PRIORITY\":\"notice\",\"MESSAGE\":\"[2022-09-19T09:06:07.229Z] [ warning] [vmsvc] RecordRoutingInfo: Unable to collect IPv6 routing table.\",\"ISODATE\":\"2022-09-19T09:06:07+00:00\",\"HOST_IP\":\"192.168.0.123\",\"HOST_FROM\":\"x600-device\",\"HOST\":\"x600-device\",\"FILE_NAME\":\"/var/log/vmware-vmsvc-root.log\",\"FACILITY\":\"user\",\"DATE\":\"Sep 19 09:06:07\",\"@timestamp\":\"2022-09-19T09:06:07+00:00\"
}",
"LEGACY_MSGHDR":"465 ","ISODATE":"2022-09-19T11:06:07+02:00","HOST_FROM":"192.168.0.123","HOST":"192.168.0.123","FACILITY":"user","ENV":"13","DATE":"Sep 19 11:06:07","@timestamp":"2022-09-19T11:06:07+02:00"
}
Destination beallitasok:
destination d_syslog_tcp {
syslog("<syslog-_server_ip>" transport("tcp") port(514) template("$(format_json --scope rfc3164 --scope nv-pairs --key ISODATE @timestamp=${ISODATE} --key FILE_NAME --pair ENV=\"`ENV`\" )\n\n") );
};
Viszont ingest pipeline-nal nem tudok kiasni ebbol a mezobol egyelore semmit, mert azt mondja, hogy
{
"docs": [
{
"error": {
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "Illegal character inside unquoted field at 59"
}
],
"type": "illegal_argument_exception",
"reason": "Illegal character inside unquoted field at 59"
}
}
]
}