I am trying to use the parse the syslog message field using Line Protocol. I am constraint to using RCF3164 and want to only parse the MSG part as explained in the documentation.
<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8
The message section of this syslog line would be 'su root' failed for lonvick on /dev/pts/8
.
When I disable the parser and only send a single word as the message, all default syslog fields are set as expected. (first row)
But after enabling [processors.parser] and sending the message in the Line Protocol format all the fields are messed up. (second row) And enabling parse_tags option results in errors printed in the stdout.
The error message:
[processors.parser] could not parse tag host: metric parse error: expected tag at 1:13: "cc83be50ce3b"
Format in the message string
# measurement name
'nginx-request,'
# tag: the request host
'host=$http_host,'
# tag: usually http or https
'scheme=$scheme,'
# tag: http method
'method=$request_method,'
# tag: request path
# ','
# tag: protocol, such as HTTP/1.1 or HTTP/2.0
'protocol=$server_protocol,'
# tag: http response status
'status=$status '
# field: number of bytes sent to the client
'bytes_sent=${bytes_sent}u,'
# field: TLS cipher
'ssl_cipher="$ssl_cipher",'
# field: TLS protocol
'ssl_protocol="$ssl_protocol",'
# field: request length including headers and body
'request_length=${request_length}u,'
# field: client IP
'remote_addr="$remote_addr",'
# field: full path and arguments
'request_uri="$request_uri",'
# field: http referer
'http_referer="$http_referer",'
# field: x-forwarded-for header
'http_x_forwarded_for="$http_x_forwarded_for",'
# field: request processing time in ms
'request_time=${request_time} '
# end with unix timestamp
'$epoch_ms';