New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add GELF support, at least for output #292
Comments
A first review shows that "what needs to be done" may actually be not nothing. If I understand the GELF spec [ https://www.graylog.org/resources/gelf-2/ ] correctly, rsyslog already has everything that's needed to write and transport GELF, it "just" needs to be configured correctly:
So it looks like the question boils more down to "what exactly is needed?". Any feedback on that would be appreciated. |
Here is an example of how this is done with Elasticsearch: http://www.rsyslog.com/output-to-elasticsearch-in-logstash-format-kibana-friendly/ This is probably useful for the JSON part. Note that there are other ways to write the JSON, but to suggest anything specific, I would need to know what should be mapped to what... |
From the GELF specs page (https://www.graylog.org/resources/gelf-2/) the following fields should be set by the client : version string (UTF-8) : host string (UTF-8) : short_message string (UTF-8) : full_message string (UTF-8) : timestamp number : level number : facility string (UTF-8) : |
I read the spec, but some questions still remain open. What should go in "host" - we can add the hostname, we can add the tag, or we can add hostname and tag concatenated .. or anything else. What should go in short_messages vs. full_message? We only have a single msg object in rsyslog, and that's the message as it is. We could put that into full_message. And maybe shorten short_message to e.g. the first 128 chars? Is it correct that the facility should now be discarded? We could create a template e.g. to do as follows: "1.1" --> version |
Is 128 char truncated message really useful? How is it used? And considering it's easy to build denormalization, isn't t best done by consumer? Is it useful to potentially have tags pushed in short message field? |
I will try to answer some of @rgerhards questions.
Hope that helps. 😃 Let me know if you have any further questions. |
While the spec says |
@jpmens True, we currently do not check this. 😕 |
Well, the version shouldn't be any problem at all, it's just constant text. As it looks, all we need to do in rsyslog is to configure a proper template - and that's it. So it looks like it's no programming required, just doing a small config snippet. Then, of course, it would be helpful to have someone who actually tries it out. |
What about structured data? It would be nice if that can be broken up into GELF additional fields. Is that also possible with templates? |
@bernd I need to check for structured data, maybe we need some extra properties for it. But I don't think so mmpstrucdata should take care of that. Is there anything else that a "GELF output" should handle? Remember that I am trying to spec up things... |
Some more notes:
|
As far as I understood, the Graylog only needs the null-byte as message delimiter when using TCP, right? So it should work with default UDP!? This null-byte delimiter is an issue, that Rainer needs to look at. Anyway, I have prepared a template to reflect the GELF format as described above and I left out the full_message since it is not really needed. This gave me messages like this:
Can someone please confirm if the template works for them with UDP transport? Here is the template:
|
@friedl Yes, the null-byte delimiter is only for TCP connections. Default UDP should work, yes. I will test the template tomorrow. |
👍 for breaking up structured syslog data into GELF fields |
@lennartkoopmann I'll look at breaking up structured data asap. However, it's still very seldomly used. I guess the best approach is to say "submit normalized data to GELF properties". That's a much broader thing and plays well with rsyslog's normalization. But let me see first if the simple things work. |
The template that @friedl posted works for me on 7.4.4. |
That sounds great. So let me ask about additional fields, e.g. for structured data. I just re-read the GELF spec page. It sounds to me that you can add additional fields with prefixing them by underscore (e.g. "_some_field"), but it sounds like no hierarchy is supported. Is that correct? I ask because we have a 2-layer hierarchy in RFC5424 structured data, and potentially many more layers when receiving JSON data. So I need to find out how to put this into GELF. |
Yes, the current GELF version does not support hierarchies. For parsing RFC5424 in Graylog we are currently prefixing the keys with the SD-ID. (if configured) This isn't really nice but the simplest thing that came to our mind at that time. |
Thx. I need to think how to shuffle the definitions inside the templates. It's probably a bit tricky and maybe requires some code to be written. |
Hello, any news about the null-byte as message delimiter when using TCP? |
Still no null-byte for TCP? |
@colttt @opensysnotes msg terminator for TCP is totally off-topic for this issue, thus no response here |
@friedl template worked fine for a long time, but latest versions of graylog now always says warning on timestamp, like this:
it is only warning and message processed fine itself. |
I made this template, it's more neat. Some fields optional.
|
As mentioned on Twitter, a couple of folks have interest in adding GELF support to rsyslog. This tracker is intended to help scope what actually needs to be done.
The text was updated successfully, but these errors were encountered: