New: Option to let the user choose how the syslog plugin have to prep…

…end SDPARAMs
influxdata · May 24, 2018 · dd6c6c0 · dd6c6c0
1 parent 09f869b
commit dd6c6c0
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 19 deletions.
diff --git a/plugins/inputs/syslog/README.md b/plugins/inputs/syslog/README.md
@@ -6,7 +6,7 @@ It can act as a syslog transport receiver over TLS (or TCP) - ie., RFC5425 - or
 
 This plugin listens for syslog messages following RFC5424 format. When received it parses them extracting metrics.
 
-### Configuration:
+### Configuration
 
 ```toml
 [[inputs.syslog]]
@@ -40,12 +40,18 @@ This plugin listens for syslog messages following RFC5424 format. When received
 
   ## Read timeout (default = 500ms).
   ## 0 means unlimited.
-  ## Only applies to stream sockets (e.g. TCP).
   # read_timeout = 500ms
 
   ## Whether to parse in best effort mode or not (default = false).
   ## By default best effort parsing is off.
   # best_effort = false
+
+  ## Character to prepend to SD-PARAMs (default = "_").
+  ## A syslog message can contain multiple parameters and multiple identifiers within structured data section.
+  ## Eg., [id1 name1="val1" name2="val2"][id2 name1="val1" nameA="valA"]
+  ## For each combination a field is created.
+  ## Its name is created concatenating identifier, sdparam_separator, and parameter name.
+  # sdparam_separator = "_"
 ```
 
 #### Other configs
@@ -55,22 +61,23 @@ Other available configurations are:
 - `keep_alive_period`, `max_connections` for stream sockets
 - `read_timeout`
 - `best_effort` to tell the parser to work until it is able to do and extract partial but valid info (more [here](https://github.com/influxdata/go-syslog#best-effort-mode))
+- `sdparam_separator` to choose how to separate structured data param name from its structured data identifier
 
 ### Metrics
 
 - syslog
   - fields
     - **version** (`uint16`)
+    - **severity_code** (`int`)
+    - **facility_code** (`int`)
     - timestamp (`time.Time`)
     - procid (`string`)
     - msgid (`string`)
-    - _structureddata element id_ (`bool`)
-    - _structureddata element parameter name_ (`string`)
+    - *sdid* (`bool`)
+    - *sdid . sdparam_separator . sdparam_name* (`string`)
   - tags
     - **severity** (`string`)
-    - **severity_level** (`string`)
     - **facility** (`string`)
-    - **facility_message** (`string`)
     - hostname (`string`)
     - appname (`string`)
 

diff --git a/plugins/inputs/syslog/rfc5425_test.go b/plugins/inputs/syslog/rfc5425_test.go
@@ -44,8 +44,8 @@ func getTestCasesForRFC5425() []testCase5425 {
 						"msgid":         "2",
 						"message":       `"GET /v1/ok HTTP/1.1" 200 145 "-" "hacheck 0.9.0" 24306 127.0.0.1:40124 575`,
 						"origin":        true,
-						"meta sequence": "14125553",
-						"meta service":  "someservice",
+						"meta_sequence": "14125553",
+						"meta_service":  "someservice",
 						"severity_code": 5,
 						"facility_code": 3,
 					},
@@ -68,8 +68,8 @@ func getTestCasesForRFC5425() []testCase5425 {
 						"msgid":         "2",
 						"message":       `"GET /v1/ok HTTP/1.1" 200 145 "-" "hacheck 0.9.0" 24306 127.0.0.1:40124 575`,
 						"origin":        true,
-						"meta sequence": "14125553",
-						"meta service":  "someservice",
+						"meta_sequence": "14125553",
+						"meta_service":  "someservice",
 						"severity_code": 5,
 						"facility_code": 3,
 					},
@@ -359,6 +359,7 @@ func newTCPSyslogReceiver(keepAlive *internal.Duration, maxConn int, bestEffort
 		},
 		ReadTimeout: d,
 		BestEffort:  bestEffort,
+		Separator:   "_",
 	}
 	if keepAlive != nil {
 		s.KeepAlivePeriod = keepAlive

diff --git a/plugins/inputs/syslog/rfc5426_test.go b/plugins/inputs/syslog/rfc5426_test.go
@@ -102,8 +102,8 @@ func getTestCasesForRFC5426() []testCase5426 {
 					"msgid":         "2",
 					"message":       `"GET /v1/ok HTTP/1.1" 200 145 "-" "hacheck 0.9.0" 24306 127.0.0.1:40124 575`,
 					"origin":        true,
-					"meta sequence": "14125553",
-					"meta service":  "someservice",
+					"meta_sequence": "14125553",
+					"meta_service":  "someservice",
 					"severity_code": 5,
 					"facility_code": 3,
 				},
@@ -124,8 +124,8 @@ func getTestCasesForRFC5426() []testCase5426 {
 					"msgid":         "2",
 					"message":       `"GET /v1/ok HTTP/1.1" 200 145 "-" "hacheck 0.9.0" 24306 127.0.0.1:40124 575`,
 					"origin":        true,
-					"meta sequence": "14125553",
-					"meta service":  "someservice",
+					"meta_sequence": "14125553",
+					"meta_service":  "someservice",
 					"severity_code": 5,
 					"facility_code": 3,
 				},
@@ -211,6 +211,7 @@ func newUDPSyslogReceiver(bestEffort bool) *Syslog {
 			return defaultTime
 		},
 		BestEffort: bestEffort,
+		Separator:  "_",
 	}
 }
 

diff --git a/plugins/inputs/syslog/syslog.go b/plugins/inputs/syslog/syslog.go
@@ -30,6 +30,7 @@ type Syslog struct {
 	ReadTimeout     *internal.Duration
 	MaxConnections  int
 	BestEffort      bool
+	Separator       string `toml:"sdparam_separator"`
 
 	now func() time.Time
 
@@ -77,12 +78,18 @@ var sampleConfig = `
 
   ## Read timeout (default = 500ms).
   ## 0 means unlimited.
-  ## Only applies to stream sockets (e.g. TCP).
   # read_timeout = 500ms
 
   ## Whether to parse in best effort mode or not (default = false).
   ## By default best effort parsing is off.
   # best_effort = false
+
+  ## Character to prepend to SD-PARAMs (default = "_").
+  ## A syslog message can contain multiple parameters and multiple identifiers within structured data section.
+  ## Eg., [id1 name1="val1" name2="val2"][id2 name1="val1" nameA="valA"]
+  ## For each combination a field is created.
+  ## Its name is created concatenating identifier, sdparam_separator, and parameter name.
+  # sdparam_separator = "_"
 `
 
 // SampleConfig returns sample configuration message
@@ -182,7 +189,7 @@ func (s *Syslog) listenPacket(acc telegraf.Accumulator) {
 
 		message, err := p.Parse(b[:n], &s.BestEffort)
 		if message != nil {
-			acc.AddFields("syslog", fields(*message), tags(*message), s.now())
+			acc.AddFields("syslog", fields(*message, s), tags(*message), s.now())
 		}
 		if err != nil {
 			acc.AddError(err)
@@ -282,7 +289,7 @@ func (s *Syslog) store(res rfc5425.Result, acc telegraf.Accumulator) {
 	}
 	if res.Message != nil {
 		msg := *res.Message
-		acc.AddFields("syslog", fields(msg), tags(msg), s.now())
+		acc.AddFields("syslog", fields(msg, s), tags(msg), s.now())
 	}
 }
 
@@ -304,7 +311,7 @@ func tags(msg rfc5424.SyslogMessage) map[string]string {
 	return ts
 }
 
-func fields(msg rfc5424.SyslogMessage) map[string]interface{} {
+func fields(msg rfc5424.SyslogMessage, s *Syslog) map[string]interface{} {
 	// Not checking assuming a minimally valid message
 	flds := map[string]interface{}{
 		"version": msg.Version(),
@@ -337,7 +344,7 @@ func fields(msg rfc5424.SyslogMessage) map[string]interface{} {
 			}
 			for name, value := range sdparams {
 				// Using whitespace as separator since it is not allowed by the grammar within SDID
-				flds[sdid+" "+name] = value
+				flds[sdid+s.Separator+name] = value
 			}
 		}
 	}
@@ -363,6 +370,7 @@ func init() {
 		ReadTimeout: &internal.Duration{
 			Duration: defaultReadTimeout,
 		},
+		Separator: "_",
 	}
 
 	inputs.Add("syslog", func() telegraf.Input { return receiver })