Mailing List Archive

understanding omelasticsearch / template=
https://www.rsyslog.com/files/temp/doc-indent/configuration/modules/omelasticsearch.html


Default value of template=" ... " is

$template JSONDefault,
"{\"message\":\"%msg:::json%\",\"fromhost\":\"%HOSTNAME:::json%\",\"facility\":\"%syslogfacility-text%\",\"priority\":\"%syslogpriority-text%\",\"timereported\":\"%timereported:::date-rfc3339%\",\"timegenerated\":\"%timegenerated:::date-rfc3339%\"}"



This does not look like JSON CEE

Therefore, if other applications are submitting CEE events[1] to
rsyslog, they do not use the same field names

Which JSON schema (if any) does the JSONDefault value attempt to comply
with?

Is there a recommended value of JSONDefault for CEE fields?

Regards,

Daniel

1. https://cee.mitre.org/language/1.0-beta1/core-profile.html
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: understanding omelasticsearch / template= [ In reply to ]
I put this line in my config:

$template JSONCEE,
"{\"msg\":\"%msg:::json%\",\"pname\":\"%programname%\",\"host\":\"%HOSTNAME:::json%\",\"syslog!fac\":\"%syslogfacility%\",\"syslog!pri\":\"%syslogpriority%\",\"time\":\"%timereported:::date-rfc3339%\"}"


and selected it in the action for omelasticsearch:

local2.* action(type="omelasticsearch"
template="JSONCEE")


Notice that in the CEE profile[1], the following are mandatory, they are
not the same as the names used in the rsyslog default template:

host
pname
time
msg


I tested this for regular Syslog events coming from a non-CEE source

Regards,

Daniel


On 09/07/2021 17:47, Daniel Pocock wrote:
>
>
>
> https://www.rsyslog.com/files/temp/doc-indent/configuration/modules/omelasticsearch.html
>
>
> Default value of template=" ... " is
>
> $template JSONDefault,
> "{\"message\":\"%msg:::json%\",\"fromhost\":\"%HOSTNAME:::json%\",\"facility\":\"%syslogfacility-text%\",\"priority\":\"%syslogpriority-text%\",\"timereported\":\"%timereported:::date-rfc3339%\",\"timegenerated\":\"%timegenerated:::date-rfc3339%\"}"
>
>
>
> This does not look like JSON CEE
>
> Therefore, if other applications are submitting CEE events[1] to
> rsyslog, they do not use the same field names
>
> Which JSON schema (if any) does the JSONDefault value attempt to comply
> with?
>
> Is there a recommended value of JSONDefault for CEE fields?
>
> Regards,
>
> Daniel
>
> 1. https://cee.mitre.org/language/1.0-beta1/core-profile.html
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.