Syslog Format Plugin

Starting in Drill 1.16, Drill provides a syslog format plugin, which enables Drill to query syslog formatted data as specified in RFC-5424, as shown:

<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"]  

Configuration Options

The syslog format plugin provides the following configuration options:

• maxErrors
  Sets the maximum number of malformatted lines that the format plugin will tolerate before throwing an error and halting execution.

• flattenStructuredData
  Syslog data optionally contains a series of key/value pairs known as the structured data. By default, Drill will parse these into a map.

    "syslog": {
       "type": "syslog",
       "extensions": [ "syslog" ],
       "maxErrors": 10,
       "flattenStructuredData": false
    }  
  

Fields

In terms of data types, the event_date field is a datetime, the severity_code, facility_code, and proc_id are integers and all other fields are VARCHARs.

Note: All fields, with the exception of the event_date field, are not required; therefore, all fields may not be present at all times.

• event_date
  This is the time of the event
• severity_code
  The severity code of the event
• facility_code
  The facility code of the incident
• severity
  The severity of the event
• facility
• ip
  The IP address or hostname of the source machine
• app_name
  The name of the application that is generating the event
• proc_id
  The process ID of the event that generated the event
• msg_id
  The identifier of the message
• message
  The actual message text of the event
• raw
  The full text of the event

Structured Data

Syslog data can contain a list of key/value pairs which Drill will extract in a field called structured_data. This field is a Drill map.