Using Rsyslog sending to Loggly and scrub mongodb log data

I am trying to send information to loggly via rsyslog with data from mongodb 4.4.2. However I cannot get the data in a way that I can manipulate it and scrub out certain information. When I follow the guide on the Loggly site it works for non mongodb information. If I leave %$!msg% as %msg% I get the mongodb data but I am not able to manipulate it. Loggly gets a log back but the raw message is empty and all that is passed is the other fields inside of the $template

config file for reading mongo logs

#RsyslogGnuTLS$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-bundle.crt# Input <span class="hljs-keyword">for</span> FILE1input(type=<span class="hljs-string">"imfile"</span> tag=<span class="hljs-string">"mongo_lou_qa"</span> ruleset=<span class="hljs-string">"filelog"</span> file=<span class="hljs-string">"/var/log/mongodb/mongod.log"</span>) #wildcard is allowed at file level only$template LogglyFormat,<span class="hljs-string">"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [token@41058  tag=\"tag1\" tag=\"tag2\" ] %$!msg%"</span> set $!msg = $msg;<span class="hljs-keyword">if</span> re_match($!msg,<span class="hljs-string">&#39;([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9])&#39;</span>)    then {  set $!ext = re_extract($!msg,<span class="hljs-string">&#39;([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9])&#39;</span>,<span class="hljs-number">0</span>,<span class="hljs-number">1</span>,<span class="hljs-string">""</span>);  set $!msg= replace($!msg, $!ext, <span class="hljs-string">"xxxxxxxxx"</span>);}  <span class="hljs-function"><span class="hljs-title">ruleset</span>(<span class="hljs-params">name=<span class="hljs-string">"filelog"</span></span>)</span>{action(type=<span class="hljs-string">"omfwd"</span> protocol=<span class="hljs-string">"tcp"</span> target=<span class="hljs-string">"logs-01.loggly.com"</span> port=<span class="hljs-string">"6514"</span> template=<span class="hljs-string">"LogglyFormat"</span> StreamDriver=<span class="hljs-string">"gtls"</span> StreamDriverMode=<span class="hljs-string">"1"</span> StreamDriverAuthMode=<span class="hljs-string">"x509/name"</span> StreamDriverPermittedPeers=<span class="hljs-string">"*.loggly.com"</span>)}<br /></script>

Mongodb sample log

{<span class="hljs-string">"t"</span>:{<span class="hljs-string">"$date"</span>:<span class="hljs-string">"2021-01-01T00:00:00.000-00:00"</span>},<span class="hljs-string">"s"</span>:<span class="hljs-string">"I"</span>,  <span class="hljs-string">"c"</span>:<span class="hljs-string">"ACCESS"</span>,   <span class="hljs-string">"id"</span>:<span class="hljs-number">20000</span>,   <span class="hljs-string">"ctx"</span>:<span class="hljs-string">"conn79"</span>,<span class="hljs-string">"msg"</span>:<span class="hljs-string">"Successful authentication from 000000000"</span>,<span class="hljs-string">"attr"</span>:{<span class="hljs-string">"mechanism"</span>:<span class="hljs-string">"ABC"</span>,<span class="hljs-string">"principalName"</span>:<span class="hljs-string">"__system"</span>,<span class="hljs-string">"authenticationDatabase"</span>:<span class="hljs-string">"local"</span>,<span class="hljs-string">"client"</span>:<span class="hljs-string">"0.0.0.0:00000"</span>}}<br /><br /><br />

Find more posts tagged with

mongodb

rsyslog

Loggly

Accepted answers

All comments

There are no accepted answers yet