The syslog_parser operator parses the string-type field selected by parse_from as syslog. Timestamp parsing is handled automatically by this operator.
| Field | Default | Description |
|---|---|---|
id |
syslog_parser |
A unique identifier for the operator |
output |
Next in pipeline | The connected operator(s) that will receive all outbound entries |
parse_from |
$ | A field that indicates the field to be parsed as JSON |
parse_to |
$ | A field that indicates the field to be parsed as JSON |
preserve |
false | Preserve the unparsed value on the record |
on_error |
send |
The behavior of the operator if it encounters an error. See on_error |
protocol |
required | The protocol to parse the syslog messages as. Options are rfc3164 and rfc5424 |
timestamp |
nil |
An optional timestamp block which will parse a timestamp field before passing the entry to the output operator |
severity |
nil |
An optional severity block which will parse a severity field before passing the entry to the output operator |
Configuration:
- type: syslog_parser
protocol: rfc3164| Input record | Output record |
{
"timestamp": "",
"record": "<34>Jan 12 06:30:00 1.2.3.4 apache_server: test message"
} |
{
"timestamp": "2020-01-12T06:30:00Z",
"record": {
"appname": "apache_server",
"facility": 4,
"hostname": "1.2.3.4",
"message": "test message",
"msg_id": null,
"priority": 34,
"proc_id": null,
"severity": 2
}
} |