remove JSON parsing as graylog now supports it fully

Question

remove JSON parsing as graylog now supports it fully

SjonHortensius opened this issue 5 years ago · 2 comments

remove json parsing from SystemdJournal2Gelf - let users configure this themselves as a pipeline. Steps to recreate this as a custom pipeline:

Go to /system/pipelines in your graylog install and create a new pipeline
Edit the new pipeline and add a stage:
In the first stage, add a rule to interpret the message as json:

rule "interpret message as JSON"
when
    has_field("message") && starts_with(to_string($message.message), "{\"")
then
    let json = parse_json(to_string($message.message));
    let map = to_map(json);
    set_fields(map);

    rename_field("Message", "message");
    rename_field("FullMessage", "full_message");
end

you can prefix additional stages to cleanup your message eg. when receiving messages from php-fpm:

rule "strip fpm pool prefix"
when
  has_field("message") && starts_with(to_string($message.message), "pool ")
then
  set_field("message", regex_replace("^pool [a-zA-Z_\\[\\d\\]]+: ", to_string($message.message), ""));
end

attach the pipeline to the appropriate stream(s). Make sure the Pipeline Processor is configured after Message Filter Chain in system/configurations

Answer 1 · 2020-08-13T11:11:50.000Z

Hi @SjonHortensius just found this by accident.
I think the README.md requires updating, so people don't expect this JSON parsing to happen automatically.

Answer 2 · 2020-08-13T12:52:34.000Z

@hmmmsausages you're right - I've updated the README.MD