Syslog Format Plugin

Apr 10, 2019

Starting in Drill 1.16, Drill provides a syslog format plugin, which enables Drill to query syslog formatted data as specified in RFC-5424, as shown:

<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]  

Configuration Options

The syslog format plugin provides the following configuration options:

  • maxErrors
    Sets the maximum number of malformatted lines that the format plugin will tolerate before throwing an error and halting execution.
  • flattenStructuredData
    Syslog data optionally contains a series of key/value pairs known as the structured data. By default, Drill will parse these into a map.

    "syslog": {
       "type": "syslog",
       "extensions": [ "syslog" ],
       "maxErrors": 10,
       "flattenStructuredData": false
    }  
    

Fields

In terms of data types, the event_date field is a datetime, the severity_code, facility_code, and proc_id are integers and all other fields are VARCHARs.

Note: All fields, with the exception of the event_date field, are not required; therefore, all fields may not be present at all times.

  • event_date
    This is the time of the event
  • severity_code
    The severity code of the event
  • facility_code
    The facility code of the incident
  • severity
    The severity of the event
  • facility
  • ip
    The IP address or hostname of the source machine
  • app_name
    The name of the application that is generating the event
  • proc_id
    The process ID of the event that generated the event
  • msg_id
    The identifier of the message
  • message
    The actual message text of the event
  • raw
    The full text of the event

Structured Data

Syslog data can contain a list of key/value pairs which Drill will extract in a field called structured_data. This field is a Drill map.