The syslog_parser operator parses the string-type field selected by parse_from as syslog. Timestamp parsing is handled automatically by this operator.
| Field | Default | Description |
|---|---|---|
id |
syslog_parser |
A unique identifier for the operator |
output |
Next in pipeline | The connected operator(s) that will receive all outbound entries |
parse_from |
$ | A field that indicates the field to be parsed as JSON |
parse_to |
$ | A field that indicates the field to be parsed as JSON |
preserve_to |
Preserves the unparsed value at the specified field | |
on_error |
send |
The behavior of the operator if it encounters an error. See on_error |
protocol |
required | The protocol to parse the syslog messages as. Options are rfc3164 and rfc5424 |
location |
UTC |
The geographic location (timezone) to use when parsing the timestamp (Syslog RFC 3164 only). The available locations depend on the local IANA Time Zone database. This page contains many examples, such as America/New_York. |
timestamp |
nil |
An optional timestamp block which will parse a timestamp field before passing the entry to the output operator |
severity |
nil |
An optional severity block which will parse a severity field before passing the entry to the output operator |
if |
An expression that, when set, will be evaluated to determine whether this operator should be used for the given entry. This allows you to do easy conditional parsing without branching logic with routers. |
Configuration:
- type: syslog_parser
protocol: rfc3164| Input record | Output record |
{
"timestamp": "",
"record": "<34>Jan 12 06:30:00 1.2.3.4 apache_server: test message"
} |
{
"timestamp": "2020-01-12T06:30:00Z",
"record": {
"appname": "apache_server",
"facility": 4,
"hostname": "1.2.3.4",
"message": "test message",
"msg_id": null,
"priority": 34,
"proc_id": null,
"severity": 2
}
} |