This repository was archived by the owner on Apr 3, 2021. It is now read-only.
This repository was archived by the owner on Apr 3, 2021. It is now read-only.
Feature request: Store raw data before parsing #3
Description
Thanks so much for making this parser, it is exactly what I was looking for. My only additional hope is to retain the audit log in its raw form as well.
I have tried to chain this filter together with another filter like this:
<source>
@type tail
format none
path /var/log/audit/audit.log
read_from_head false
tag audit
</source>
<filter audit>
@type record_transformer
<record>
raw_message ${record["message"]}
</record>
</filter>
<filter audit>
@type parse_audit_log #fluent-plugin-filter-parse-audit-log
</filter>
But if I do the record_transformer before the parse_audit_log my new raw_message field is lost, and if I do it after, then there is no message field to copy from any more so it is set to null.
In an ideal world, I would have three fields under the json payload like:
jsonPayload: {
raw_message: "type=SYSCALL msg=audit(1611581847.881:273): ........."
body: {1}
header: {2}
Thanks