json: output messages in JSONv1 format

While Logstash is quite flexible in the JSON messages received, the
canonical format it "expects" is the JSON Event v1 format. The timestamp
should be keyed by `@timestamp` and there should be a `@version` key
whose value is 1. All other keys are free.

There is no formal specification of this format. It is however described
here:

 https://github.com/elastic/logstash/blob/1.5/lib/logstash/event.rb#L26-L47

It's useful to respect this format as it allows a user to use a less
capable receiver. The new format is enabled only when `eventv1=1` is set
in plugin configuration.

Signed-off-by: Vincent Bernat <Vincent.Bernat@exoscale.ch>

diff --git a/output/ulogd_output_JSON.c b/output/ulogd_output_JSON.c
index 3ad262069e20b7644c228b913ef4bebee2bdce81..36a4d4962a54bc82399140c98628608317fa014a 100644 (file)
--- a/output/ulogd_output_JSON.c
+++ b/output/ulogd_output_JSON.c
@@ -46,6 +46,7 @@ enum json_conf {
        JSON_CONF_FILENAME = 0,
        JSON_CONF_SYNC,
        JSON_CONF_TIMESTAMP,
+       JSON_CONF_EVENTV1,
        JSON_CONF_DEVICE,
        JSON_CONF_BOOLEAN_LABEL,
        JSON_CONF_MAX
@@ -72,6 +73,12 @@ static struct config_keyset json_kset = {
                        .options = CONFIG_OPT_NONE,
                        .u = { .value = 1 },
                },
+               [JSON_CONF_EVENTV1] = {
+                       .key = "eventv1",
+                       .type = CONFIG_TYPE_INT,
+                       .options = CONFIG_OPT_NONE,
+                       .u = { .value = 0 },
+               },
                [JSON_CONF_DEVICE] = {
                        .key = "device",
                        .type = CONFIG_TYPE_STRING,
@@ -101,6 +108,9 @@ static int json_interp(struct ulogd_pluginstance *upi)
                return ULOGD_IRET_ERR;
        }
 
+       if (upi->config_kset->ces[JSON_CONF_EVENTV1].u.value != 0)
+               json_object_set_new(msg, "@version", json_integer(1));
+
        if (upi->config_kset->ces[JSON_CONF_TIMESTAMP].u.value != 0) {
                time_t now;
                char timestr[MAX_LOCAL_TIME_STRING];
@@ -130,7 +140,10 @@ static int json_interp(struct ulogd_pluginstance *upi)
                                        t->tm_min, t->tm_sec);
                }
 
-               json_object_set_new(msg, "timestamp", json_string(timestr));
+               if (upi->config_kset->ces[JSON_CONF_EVENTV1].u.value != 0)
+                       json_object_set_new(msg, "@timestamp", json_string(timestr));
+               else
+                       json_object_set_new(msg, "timestamp", json_string(timestr));
        }
 
        if (upi->config_kset->ces[JSON_CONF_DEVICE].u.string) {

diff --git a/ulogd.conf.in b/ulogd.conf.in
index 8893175defb80bb6dbf3bf9315d9666869e7ed02..9624a4b6c38ea266f88eb4af4ddf7bcff1227960 100644 (file)
--- a/ulogd.conf.in
+++ b/ulogd.conf.in
@@ -209,6 +209,9 @@ sync=1
 # by the input plugin is coding the action on packet: if 0, then
 # packet has been blocked and if non null it has been accepted.
 #boolean_label=1
+# Uncomment the following line to use JSON v1 event format that
+# can provide better compatility with some JSON file reader.
+#eventv1=1
 
 [pcap1]
 #default file is /var/log/ulogd.pcap