This format plugin enables Drill to query syslog formatted data as specified in RFC-5424, as shown below.
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]
This format pluin has the following configuration options:
maxErrors: Sets the maximum number of malformatted lines that the format plugin will tolerate before throwing an error and halting executionflattenStructuredData: Syslog data optionally contains a series of key/value pairs known as the structured data. By default, Drill will parse these into a map."syslog": {
"type": "syslog",
"extensions": [ "syslog" ],
"maxErrors": 10,
"flattenStructuredData": false
}
Since the structure of the data contained in a syslog is well known. In terms of data types, the event_date field is a datetime, the severity_code, facility_code, and proc_id are integers and all other fields are VARCHARs.
** Note: All fields, with the exception of the event_date, are not required, so not all fields may be present at all times. **
event_date: This is the time of the eventseverity_code: The severity code of the eventfacility_code: The facility code of the incidentseverity: The severity of the eventfacility:ip: The IP address or hostname of the source machineapp_name: The name of the application that is generating the eventproc_id: The process ID of the event that generated the eventmsg_id: The identifier of the messagemessage: The actual message text of the event_raw: The full text of the eventSyslog data can contain a list of key/value pairs which Drill will extract in a field called structured_data. This field is a Drill Map.