Parse timeQuality in RFC5424 messages

[guedressel]

In a test of this plugin I found the timeQuality (RFC5424, Section 7.1) part of the message not being parsed. Would be nice if it gets added to the parser.

[scheuk]

The plugin doesn't parse the structured data section. It will put simply put the structured data into the message section of the fluentd record. What would you like to see from a record perspective if we parsed the structured data?

[guedressel]

After some thinking and reading I now see this issue as a bigger story: My suggestion is to parse the whole Structured-Data parts (RFC5424, Section 6.3) into a key "data" (or maybe "sdata"?).

A parsed syslog event could then look like this:

{
  "host":"host-name",
  "ident":"user",
  "pid":"-",
  "msgid":"-",
  "message":"log message"
  "data": {
    "timeQuality": {
      "tzKnown": 1,
      "isSynced": 1,
      "syncAccuracy": 288500
      }
    },
    "origin": {
      "ip": [ "10.9.8.7", "10.9.4.3"],
      "enterpriseId": "",
      "software": "the-better-app",
      "swVersion": "42"
    },
    "meta": {
      "sequenceId": 11,
      "sysUpTime": 23342390
      "language": "en-US"
    },
    "exampleSDID@32473": {
      "iut": "3",
      "eventSource"="Application",
      "eventID"="1011"
    },
    "examplePriority@32473": {
      "class"="high"
    }
  }
}

What do you think about it?