I have following log record that my app is generating:
{ "msg": " {\"Timestamp\":\"2024-02-23T12:37:32.183981314Z\",\"ID\":\"common\/command.Done\"}", "rawmsg": "<134>Feb 23 12:37:32 imp[7377]: {\"Timestamp\":\"2024-02-23T12:37:32.183981314Z\",\"ID\":\"common\/command.Done\"}", "timereported": "2024-02-23T12:37:32.184055+00:00", "hostname": "host1", "syslogtag": "imp[7377]:", "inputname": "imuxsock", "fromhost": "host1", "fromhost-ip": "127.0.0.1", "pri": "134", "syslogfacility": "16", "syslogseverity": "6", "timegenerated": "2024-02-23T12:37:32.184055+00:00", "programname": "imp", "protocol-version": "0", "structured-data": "-", "app-name": "imp", "procid": "7377", "msgid": "-", "uuid": null, "$!": null }
Then my rsyslog template /etc/rsyslog.d/10-template.conf looks like:
template(name="JSONparser" type="list") {
property(name="$!msg.ID")
constant(value="\n")
}
And rsyslog conf itself at /etc/rsyslog.d/20-app.conf:
module(load="mmjsonparse")
if ($programname startswith 'imp') and ($syslogfacility-text == 'local0') and
($syslogseverity <= '6') then
action(type="mmjsonparse")
action(
type="omfile"
file="/var/log/test.log"
template="JSONparser"
)
But I only got empty /var/log/test.log file...
What I want is to parse out fields of ANY depth from a msg: field in a log record.