Hello.
First of all, I've read this article and tried to do such thing, but no luck.
Logs are from MongoDB Community event source.
Log example:
"Jan 24 16:30:10 mongodb-linux-test-1 MONGODB-AUDIT: {"t":{"$date":"2022-01-24T16:30:01.081+06:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"192.168.1.100:58595","connectionId":37,"connectionCount":1}}"
I've tried to parse only these ("s":"I", "c":"NETWORK", "id":22943)
My log parser file is:
<?xml version="1.0" encoding="UTF-8"?>
<DEVICEMESSAGES
name="mongodb_audit_custom"
displayname="MONGODB CUSTOM"
group="Database">
<VERSION
xml="62"
checksum="47a2bb0d3341b498eb15e4e72ebf1916"
revision="143"
device="2.0" />
<HEADER
id1="0001"
id2="0001"
content="<fld> <fld> <fld> <hhost> <messageid>: <!payload>"/>
<MESSAGE
id1="MONGODB-AUDIT"
id2="MONGODB-AUDIT"
content="<logstash_json_payload>" />
<VARTYPE name="logstash_json_payload" dataType="FileBeatsEvent"/>
<DataType name="ElasticCommonSchemaSubset" format="JSON">
<Capture key="/s" meta="severity" />
<Capture key="/c" meta="ec_subject" />
<Capture key="/id" meta="reference_id" />
</DataType>
After (re-)deployment I've get such result(message id is OK, but no metas of severity, reference, subject):
Please, explain what is wrong with my parser file.
1 ACCEPTED SOLUTION
Accepted Solutions
If the message is logstash/JSON, there is an easier way.
From v11.6, you can utilize Logstash/Beats plugin on Log Collector and use JSON Mappings on Log Parser Rules configuration.
Please, refer the attached ppt deck as an example.
Instead of writing a new parser, you can do same thing on web UI.
For the JSON mapping, there is no concept of headers and messages.
As JSON is structured data, you only need to define hierachical path for each values.
