search

cloudfoundry / fluent-plugin-syslog_rfc5424

MIT License
3 stars 17 forks source link

structured_data_field format #10

Open 1tft opened 3 years ago

1tft commented 3 years ago

Hello, tried several hours to find out which format structured_data_field has to be. E.g. when I set structured_data_field structured_data with following value via record_transformer

 <filter **>
    @type record_transformer
    enable_ruby true
    <record>
       structured_data ${"test@123 {'a' => 'a-value'}"}
    </record>
  </filter>

fluent-plugin-syslogrfc5424 gives me following output logline: <14>1 - - - - - test@123 {"a"=>"a-value"} -_

As you can see, structured data is not formatted as it should be: <14>1 - - - - - [test@123 a="a-value"] -

So I wonder, how do I have to commit structured data field to plugin that it produces correct output?

PS: All other fields are working like a charme (-;

1tft commented 3 years ago

@Benjamintf1 do you have any hint for us regarding correct structured data format?

Benjamintf1 commented 3 years ago

hmm, it's been a while since I've worked on this, or used this. I think I got into a place where I got overwelmed with the possibility of configing this, and we changed structured_data to just take a field that has been pre-configured to be structured data. You can see in the github.com/cloudfoundry/cf-k8s-logging repo(this was what the project was initiated for, but I can't say I'm working on it as things stand), an example of the usage. Hope that helps. image

Benjamintf1 commented 3 years ago

(The overhwelming part comes in where rfc5424 allows any message to have multiple structured data's, each with their own tag and multiple elements, something that's hard to setup a configurator for in terms of fluent-d setup, and in that sense, I suspect that a filter to transform the records before the structured data filed is likely far more efficient, as well as involves less maintenance from everyone, and well as being a little bit more "best practicey" even if it gives up some rfc5424 nicities and error checking).

1tft commented 3 years ago

Thank you for your answer! As I understand, currently structured_data_field "only" pass-through given field without any modifications. So I have to format my structured_data_field on my own as rfc5424 valid structured data. Because I have many (unknown) key/value pairs at my logs (which I only want to forward as valid syslog structured data to another syslog input). Data is parsed as json in fluentd, so I have many "key" => "value" pairs which I have to convert to key => "value" (key without quotes). Thank you for your detailed clarification, so I dont have to invest any longer to get it "working" and I try to search for another solution.