aboutsummaryrefslogtreecommitdiff
path: root/contrib/format-syslog/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/format-syslog/README.md')
-rw-r--r--contrib/format-syslog/README.md41
1 files changed, 41 insertions, 0 deletions
diff --git a/contrib/format-syslog/README.md b/contrib/format-syslog/README.md
new file mode 100644
index 000000000..2d7cbd8b1
--- /dev/null
+++ b/contrib/format-syslog/README.md
@@ -0,0 +1,41 @@
+# Syslog Format Plugin
+This format plugin enables Drill to query syslog formatted data as specified in RFC-5424, as shown below.
+
+```
+<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]
+```
+
+## Configuration Options
+This format pluin has the following configuration options:
+
+* **`maxErrors`**: Sets the maximum number of malformatted lines that the format plugin will tolerate before throwing an error and halting execution
+* **`flattenStructuredData`**: Syslog data optionally contains a series of key/value pairs known as the structured data. By default, Drill will parse these into a `map`.
+
+```
+"syslog": {
+ "type": "syslog",
+ "extensions": [ "syslog" ],
+ "maxErrors": 10,
+ "flattenStructuredData": false
+}
+```
+
+## Fields
+Since the structure of the data contained in a syslog is well known. In terms of data types, the `event_date` field is a datetime, the `severity_code`, `facility_code`, and `proc_id` are integers and all other fields are VARCHARs.
+
+** Note: All fields, with the exception of the `event_date`, are not required, so not all fields may be present at all times. **
+
+* `event_date`: This is the time of the event
+* `severity_code`: The severity code of the event
+* `facility_code`: The facility code of the incident
+* `severity`: The severity of the event
+* `facility`:
+* `ip`: The IP address or hostname of the source machine
+* `app_name`: The name of the application that is generating the event
+* `proc_id`: The process ID of the event that generated the event
+* `msg_id`: The identifier of the message
+* `message`: The actual message text of the event
+* `_raw`: The full text of the event
+
+### Structured Data
+Syslog data can contain a list of key/value pairs which Drill will extract in a field called `structured_data`. This field is a Drill Map. \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-28 12:22:12 +0000