Update use-tcp-endpoint-forward-logs-new-relic.mdx

added optional instructions so customers can add custom attributes to their syslog data.
newrelic · Jun 14, 2023 · 411f0b1 · 411f0b1
1 parent 0acbf83
commit 411f0b1
Showing 1 changed file with 26 additions and 2 deletions.
diff --git a/src/content/docs/logs/log-api/use-tcp-endpoint-forward-logs-new-relic.mdx b/src/content/docs/logs/log-api/use-tcp-endpoint-forward-logs-new-relic.mdx
@@ -74,12 +74,36 @@ To forward logs to New Relic with `rsyslog` for Amazon Linux, Redhat, and Centos
           StreamDriverMode="1"
    )
    ```
-6. Restart the `rsyslog` service by running:
+6. Optional: Add custom attributes to your syslog data. Replace the `%structured-data%` section in the template string with custom tags/attributes. This can be accomplished in two ways:
+   a. Add custom attributes directly in the template string. Take note to escape the double quotes `"` for the string values. 
+
+   `[<STRUCTURED_DATA_ID> <ATTR_NAME_1>="<ATTR_VALUE_1>" <ATTR_NAME_2>="<ATTR_VALUE_2>" ...]`
+
+   ```properties
+   template(name="newrelic-rfc5424"
+            type="string"
+            string="YOUR_LICENSE_KEY <%pri%>%protocol-version% %timestamp:::date-rfc3339% %hostname% %app-name% %procid% %msgid% [someId environment=\"prod\" region=\"US\"] %msg%\n"
+   )
+   ```
+   b. Add custom attributes using a custom property variable in the template string. Using this method allows users to avoid escaping string characters in the option above.
+
+   ```properties
+   template(name="newrelic-rfc5424"
+            type="string"
+            string="YOUR_LICENSE_KEY <%pri%>%protocol-version% %timestamp:::date-rfc3339% %hostname% %app-name% %procid% %msgid% %!custom-structured-data% %msg%\n"
+   )
+
+   set $!custom-structured-data = '[someId1 environment="prod" region="US"][someId2 team="sre" cost-center="123"]';
+   ```   
+
+   These methods above allow for extensive custom tagging of syslog data so that it can be consistent with the rest of the telemetry data.
+
+7. Restart the `rsyslog` service by running:
 
    ```bash
    sudo systemctl restart rsyslog
    ```
-7. [Check your New Relic account](/docs/logs/log-management/ui-data/explore-your-data-log-analytics) for logs.
+8. [Check your New Relic account](/docs/logs/log-management/ui-data/explore-your-data-log-analytics) for logs.
 
 ## Configure rsyslog versions 8 and above with compression (Amazon Linux, Redhat, Centos) [#rsyslog-compression]