diff options
| author | Vincent Bernat <Vincent.Bernat@exoscale.ch> | 2015-09-30 14:32:07 +0200 |
|---|---|---|
| committer | Eric Leblond <eric@regit.org> | 2015-10-02 12:11:36 +0200 |
| commit | 0ea23cc7ad69556c71787a791fd8e13942540f16 (patch) | |
| tree | fb9088aa0ce3c36012e5e8caa9c7b3e12f2f3ad4 | |
| parent | c9337b31f756cae85299c8275b21088ce02885e2 (diff) | |
json: output messages in JSONv1 format
While Logstash is quite flexible in the JSON messages received, the
canonical format it "expects" is the JSON Event v1 format. The timestamp
should be keyed by `@timestamp` and there should be a `@version` key
whose value is 1. All other keys are free.
There is no formal specification of this format. It is however described
here:
https://github.com/elastic/logstash/blob/1.5/lib/logstash/event.rb#L26-L47
It's useful to respect this format as it allows a user to use a less
capable receiver. The new format is enabled only when `eventv1=1` is set
in plugin configuration.
Signed-off-by: Vincent Bernat <Vincent.Bernat@exoscale.ch>
| -rw-r--r-- | output/ulogd_output_JSON.c | 15 | ||||
| -rw-r--r-- | ulogd.conf.in | 3 |
2 files changed, 17 insertions, 1 deletions
diff --git a/output/ulogd_output_JSON.c b/output/ulogd_output_JSON.c index 3ad2620..36a4d49 100644 --- a/output/ulogd_output_JSON.c +++ b/output/ulogd_output_JSON.c @@ -46,6 +46,7 @@ enum json_conf { JSON_CONF_FILENAME = 0, JSON_CONF_SYNC, JSON_CONF_TIMESTAMP, + JSON_CONF_EVENTV1, JSON_CONF_DEVICE, JSON_CONF_BOOLEAN_LABEL, JSON_CONF_MAX @@ -72,6 +73,12 @@ static struct config_keyset json_kset = { .options = CONFIG_OPT_NONE, .u = { .value = 1 }, }, + [JSON_CONF_EVENTV1] = { + .key = "eventv1", + .type = CONFIG_TYPE_INT, + .options = CONFIG_OPT_NONE, + .u = { .value = 0 }, + }, [JSON_CONF_DEVICE] = { .key = "device", .type = CONFIG_TYPE_STRING, @@ -101,6 +108,9 @@ static int json_interp(struct ulogd_pluginstance *upi) return ULOGD_IRET_ERR; } + if (upi->config_kset->ces[JSON_CONF_EVENTV1].u.value != 0) + json_object_set_new(msg, "@version", json_integer(1)); + if (upi->config_kset->ces[JSON_CONF_TIMESTAMP].u.value != 0) { time_t now; char timestr[MAX_LOCAL_TIME_STRING]; @@ -130,7 +140,10 @@ static int json_interp(struct ulogd_pluginstance *upi) t->tm_min, t->tm_sec); } - json_object_set_new(msg, "timestamp", json_string(timestr)); + if (upi->config_kset->ces[JSON_CONF_EVENTV1].u.value != 0) + json_object_set_new(msg, "@timestamp", json_string(timestr)); + else + json_object_set_new(msg, "timestamp", json_string(timestr)); } if (upi->config_kset->ces[JSON_CONF_DEVICE].u.string) { diff --git a/ulogd.conf.in b/ulogd.conf.in index 8893175..9624a4b 100644 --- a/ulogd.conf.in +++ b/ulogd.conf.in @@ -209,6 +209,9 @@ sync=1 # by the input plugin is coding the action on packet: if 0, then # packet has been blocked and if non null it has been accepted. #boolean_label=1 +# Uncomment the following line to use JSON v1 event format that +# can provide better compatility with some JSON file reader. +#eventv1=1 [pcap1] #default file is /var/log/ulogd.pcap |