-
Notifications
You must be signed in to change notification settings - Fork 54
RFC5424 Decoder
RFC5424 and its variant RFC5425, are supported by Flowgger.
RFC5424 messages are assumed to be on a single line and to be made of valid UTF-8 sequences.
This format is natively supported by common syslog servers, as well as various libraries.
Example RFC5424 record:
<23>1 2015-08-05T15:53:45.637824Z testhostname appname 69 42 [origin@123 software="test script" swVersion="0.0.1"] test message
Structured data are optional, but supported. The above example includes two key-value pairs as structured data: (software, test script) and (swVersion, 0.0.1).
Pay attention to the fact that RFC 5424 requires structured data values requires proper escaping: a \ character should be prepended to ], " and \\ characters (not bytes, due to UTF-8 encoding).
RFC5424 is more complicated than it looks, is slow to parse, and can be tricky to generate correctly. LTSV may be better a choice for most scenarios.
Incoming messages can be parsed according to this format by enabling it in the Flowgger configuration file:
[input]
type = "rfc5424"