import_json

[itskrs]

We are trying to send an application log to NLS in json format. When I use nc on the log file it works fine. When rsyslog sends the log information to NLS we receive a _jsonparsefailure. It looks like it never gets to the filters due to the parse failure. It looks like it is taking our g6url field and not recognizing the end of the field. Here is a sample of the log entry.

<133>May 31 09:05:18 hostname arc_applog: {"timestamp":"2018-05-31 09:05:11,392","level":"INFO","logger":"com.domain2.jdbc.VersaPayRestConfigurationsDao","thread":"http-bio-8443-exec-2","stacktrace":"-","httpresponsecode":"0","sqlerror":"-","requestId":"14643636","g6url":"https://hostname.domain.com:8443/domain ... essage":"V Key: *****yA3N","errormessage":"-"}

The strange thing is that when in the NLS gui and I hover over the g6url field it highlights everything from https to V (https://hostname.domain.com:8443/domain ... essage":"V)

I think this is what causes the jsonparsefailure, but I don't understand why.

Thanks,
Ken

[cdienger]

rsyslog is tacking on some additional data to the line which is likely throwing the json parsing off. If the data is sent via rsyslog they it should be sent to a syslog input and through filters to parse the json.

I tested this which seems to do the job:

input:

syslog {
type => 'syslog-json'
port => 5545
}

filter:

if [type] == 'syslog-json' {
json{source => 'message'}
}

[itskrs]

Thanks,

I will give that a try.

Ken

[itskrs]

Thanks again. While I did not use the syslog-json input and custom filter your suggestion did lead me to an article using json over rsyslog that I had not seen before. It allows for the removal of the excess information (i.e. timestamp) being inserted by rsyslog. It now seems to be working.
If you have this problem please check out: https://support.nagios.com/kb/article.pgp?id=564


Thanks,
Ken