How to escape or remove double quotes in rsyslog template

Posted by Evgeny on Server Fault See other posts from Server Fault or by Evgeny
Published on 2011-05-31T17:29:17Z Indexed on 2012/06/19 21:19 UTC
Read the original article Hit count: 881

Filed under:

rsyslog

|

escaping

I want rsyslog to write log messages in JSON format, which requires to use double-quotes (") around strings.

Problem is that values sometime include double-quotes themselves, and those need to be escaped - but I can't figure out how to do that.

Currently my rsyslog.conf contains this format that I use (a bit simplified):

$template JsonFormat,"{\"msg\":\"%msg%\",\"app-name\":\"%app-name%\"}\n",sql

But when a msg arrives that contains double quotes, the JSON is broken, example:

user pid=21214 uid=0 auid=4294967295 msg='PAM setcred:
user="oracle" exe="/bin/su" (hostname=?, addr=?, terminal=?
result=Success)'

turns into:

{"msg":"user pid=21214 uid=0 auid=4294967295 msg='PAM setcred:
user="oracle" exe="/bin/su" (hostname=?, addr=?, terminal=?
result=Success)'","app-name":"user"}

but what I need it to become is:

{"msg":"user pid=21214 uid=0 auid=4294967295 msg='PAM setcred:
user=\"oracle\" exe=\"/bin/su\" (hostname=?, addr=?, terminal=?
result=Success)'","app-name":"user"}

© Server Fault or respective owner

Related posts about rsyslog

How to start up rsyslog automatically?

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Check current status of rsyslog $ chkconfig --list rsyslog rsyslog 0:off 1:off 2:off 3:off 4:off 5:off 6:off Start up rsyslog at some levels $ sudo chkconfig --level 35 rsyslog on It outputs these information: insserv: warning: script 'plymouth-stop' missing LSB tags… >>> More
rsyslog channels change ownership from root

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Hello all I am using rsyslog on ubuntu 10.4 64bit LTS. the following is the relevant config in /etc/rsyslog.d/60-mylogger.conf $template Paul,"%msg%\n" $outchannel log_rotation_paul,/var/log/paul/events.log,2000,/opt/scripts/log_rotation_script.sh local0.* $log_rotation_paul;Paul This… >>> More
Rsyslog stops sending data to remote server after log rotation

as seen on Server Fault - Search for 'Server Fault'
In my configuration, I have rsyslog who is in charge of following changes of /home/user/my_app/shared/log/unicorn.stderr.log using imfile. The content is sent to another remote logging server using TCP. When the log file rotates, rsyslog stops sending data to the remote server. I tried reloading… >>> More
Does the ``-'' sign have meaning in rsyslog.conf

as seen on Server Fault - Search for 'Server Fault'
Rsyslog is backwards-compatible with Syslog configuration files. The syslog.conf man page has: You may prefix each entry with the minus ``-'' sign to omit syncing the file after every logging. Note that you might lose information if the system crashes right behind a write attempt. Nevertheless… >>> More
Rsyslog to get logs from one machine to another

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi I am very new to this... please help me configure rsyslog to get log from one machine to another machine. I am trying to get the log files from multiple systems to a base system. I have installed rsyslog on Ubuntu and tried configuring it But it did not work >>> More

Related posts about escaping

XSLT disable output escaping when disable-output-escaping is not supported

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi folks, Since disable-output-escaping doesn't work on firefox (and isn't going to), whats the next best way of including raw markup in the output of an XSTL transform? (Background: I've got raw HTML in a database that I want to wrap in XML to send to a browser to render. I've got control of… >>> More
Escaping Generics with T4 Templates

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
I've been doing some work with T4 templates lately and ran into an issue which I couldn't find an answer to anywhere. I finally figured it out, so I thought I'd share the solution. I was trying to generate a code class with a T4 template which used generics The end result a method like: public… >>> More
How to escape or remove double quotes in rsyslog template

as seen on Server Fault - Search for 'Server Fault'
I want rsyslog to write log messages in JSON format, which requires to use double-quotes (") around strings. Problem is that values sometime include double-quotes themselves, and those need to be escaped - but I can't figure out how to do that. Currently my rsyslog.conf contains this format that… >>> More
Searching for literal "> \" using ack-grep

as seen on Server Fault - Search for 'Server Fault'
I am looking for lines that literally have a greater than character (a "") followed by a space followed by a backslash character (a "\") i.e., a line with this: \ I thought escaping would allow this, and for the greater-than it does: $ ack-grep " " returns lines that have " " in them. But… >>> More
Escaping equal sign in properties files

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi guys, How do i escape the equals ('=') sign in java properties file? i would like to put something like table.whereclause=where id=100 . thanks. Josh >>> More