= Linux/Rsyslog/Json =
 * Links  [[https://techpunch.co.uk/development/how-to-shop-json-logs-via-rsyslog|Json Format]]
 * Why ?  Structured fields.

== Parse incoming json ==
 * Msg should start with {{{ CEE: { } }}}
 * Use module mmjsonparse {{{
module(load="mmjsonparse") #for parsing CEE-enhanced syslog messages
#try to parse a structured log
*.* :mmjsonparse:
   }}}
 * e.g. json log {{{
# logger ‘@cee: {“foo”: “bar”, “foo2”: “bar2″}’
}}}



== Template to generate json msg ==
 * Template basic {{{
#define a template to print all fields of the message
template(name="messageToES" type="list") {
  property(name="$!all-json")
}
   }}}

 * Template custom {{{
template(name="customTemplate" type="list") {
   constant(value="{\"timestamp\":\"")
   property(name="timereported" dateFormat="rfc3339")
   constant(value="\",\"syslogtag\":\"")
   property(name="syslogtag" format="json")
#- close the quotes for syslogtag
#- add a comma
#- then add our JSON-formatted syslog message,
# but start from the 2nd position to omit the left
# curly bracket, continue json.
   constant(value="\",")
   property(name="$!all-json" position.from="2")
}
}}}


== Json size ==
 * Maybe increase max msg size from default 8k with {{{
$MaxMessageSize 64k
   }}}