I am giving a first shot at a mapping of the CEE base schema (as currently described in project lumberjack, NOT on the CEE site!) to rsyslog properties. The core idea is to use this mapping as the default for ommongodb. Then, rsyslog shall be able to write this schema, while logtools (and others) can rely on it. For obvious reasons “rely” is not to be treated literally, as the whole thing currently is a moving target.
So I would deeply appreciate feedback for improving this mapping.
In the following mapping, the cee field name is first, the rsyslog property second.
Fields we can always map:
- srchost -> hostname
- time -> timestamp (rsyslog currently populates subseconds, what seems not to be supported in lumberjack)
- msg -> msg (initially used rawmsg, but decided against this)
- pid -> procid (may not actually be a Linux process ID)
- proc -> app-name
- level -> generated based on syslog severity (value mapping see below)
- emergency(0) -> FATAL
- alert(1), critical(2), error(3) -> ERROR
- warning(4) -> WARN
- notice(5), informational(6) -> INFO
- debug(7) -> DEBUG
- (never mapped) -> TRACE
Note that these fields may or may not be present inside a JSON/BSON document.
- ppid -> parent process ID (SCM_CREDENTIALS, local only?)
- uid -> (SCM_CREDENTIALS, local only?)
- gid -> (SCM_CREDENTIALS, local only?)
- tid -> thread ID (questionable, can probably not provided with current logging API)