*SOLVED*: Input Gelf -> Output Syslog -> extract container_name from JSON and set $SourceName

View thread

denny.fuchs@inatec.com

Hello,

we using Nomad which sends logs in GELF format. We need to forward it to Rsyslog and also to Graylog. For Syslog I want to set $SourceName, which needs to be exracted from the JSON / GELF.

The config looks like this:

 

...

<Input container> Module im_tcp ListenAddr 127.0.0.1:12202 InputType GELF_TCP </Input>

...

<Output syslog-container-server> Module om_udp Host ${user.logserver} Port 514 Exec to_json(); Exec $message =~ s/-p[^\s]+/-pXXX/; Exec to_syslog_bsd(); </Output>

...

<Route container-to-syslog> Path container => syslog-container-buffer => syslog-container-server </Route>

And the log on the rsyslog:

Apr 15 15:24:26 qh-a07-nomad-agent-03 {"version": "1.1","Hostname":"qh-a07-nomad-agent-03","ShortMessage":"[2024-04-15 13:24:26] app.DEBUG: Connected to redis...PONG [] []","EventTime":"2024-04-15T15:24:26.376000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"f1...","container_name":"iframes-c77e666c-fd39-f6f6-4d57-b416a4a7e28a","created":"2024-04-12T08:58:36.870730597Z","image_id":"sha256:2a26fed9c075899cfe86d74f8f44c2729be0f392a96d10c938795fe84036506d","image_name":"repos/production/iframes/production:68c00192","tag":"production","MessageSourceAddress":"127.0.0.1","EventReceivedTime":"2024-04-15T15:24:26.376703+02:00","SourceModuleName":"container","SourceModuleType":"im_tcp"}

How can I extract container_name

and use for $SourceName = 'my_application';  

so that “my_application” is replaced with the content of "container_name ?

cu denny