This format plugin enables Drill to query syslog formatted data as specified in RFC-5424, as shown below.
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]
This format pluin has the following configuration options:
maxErrors
: Sets the maximum number of malformatted lines that the format plugin will tolerate before throwing an error and halting executionflattenStructuredData
: Syslog data optionally contains a series of key/value pairs known as the structured data. By default, Drill will parse these into a map
."syslog": { "type": "syslog", "extensions": [ "syslog" ], "maxErrors": 10, "flattenStructuredData": false }
Since the structure of the data contained in a syslog is well known. In terms of data types, the event_date
field is a datetime, the severity_code
, facility_code
, and proc_id
are integers and all other fields are VARCHARs.
** Note: All fields, with the exception of the event_date
, are not required, so not all fields may be present at all times. **
event_date
: This is the time of the eventseverity_code
: The severity code of the eventfacility_code
: The facility code of the incidentseverity
: The severity of the eventfacility
:ip
: The IP address or hostname of the source machineapp_name
: The name of the application that is generating the eventproc_id
: The process ID of the event that generated the eventmsg_id
: The identifier of the messagemessage
: The actual message text of the event_raw
: The full text of the eventSyslog data can contain a list of key/value pairs which Drill will extract in a field called structured_data
. This field is a Drill Map.