1

How do you properly format json messages and send them over amqp with syslog-ng?

The json format should look something like this.

{"log":"This is the error message...", "date":"xxx", "source":"xxx"}

The problem I have is that the message is not always a valid json string.

e.g.

"log":"This is a "serious" error message."

How would I go about escaping the message?

My syslog-ng configuration looks something like this.

destination d_amqp {
    amqp(
        vhost("/")
        host("127.0.0.1")
        port(5672)
        username("guest") # required option, no default
        password("guest") # required option, no default
        exchange("syslog")
        exchange_type("header")
        routing_key("my-routing-key")
        body("\{\"log\":\"${MSG}\"\}")
        persistent(yes)
        value-pairs(
            scope("selected-macros" "nv-pairs" "sdata")
        )
    );
};

This is just an example, as I don't have the actual configuration in front of me right now.

eandersson
  • 43
  • 1
  • 7

1 Answers1

3

You should use the $(format-json) template function instead of handcrafting the json payload.

That will do the escaping for you. Not to mention that you can query the set of name-value pairs within a message and make the json more dynamic, for instance by adding all name-value pairs with a specific prefix.

Here is a link to the documentation: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.5-guides/en/syslog-ng-ose-v3.5-guide-admin/html/reference-template-functions.html

Algernon has posted a lengthy blog post on json too. See here: https://algernon.blogs.balabit.com/2012/02/cee-handling-with-syslog-ng-ose/

DerStoffel
  • 103
  • 3
bazsi77
  • 146
  • 1