Send messages to Falcon LogScale

Starting with version 4.3.0, AxoSyslog can send messages to Falcon LogScale using its Ingest Structured Data API. That way you don’t have to parse the data on Falcon LogScale, because AxoSyslog already sends it in a structured format that LogScale understands and can show in a structured manner as separate columns. For a tutorial on using this destination in Kubernetes, see the From syslog-ng to LogScale: structured logs from any source blog post.

Prerequisites

• Create an Ingest token for AxoSyslog to use in the token() option of the destination. This token is specific to a LogScale repository.

Ingest Structured Data API

The logscale() destination feeds LogScale via the Ingest Structured Data API.

Minimal configuration:

destination d_logscale {
  logscale(
    token("your-logscale-ingest-token")
  );
};

This driver is actually a reusable configuration snippet configured to send log messages using the http() driver using a template. You can find the source of this configuration snippet on GitHub.

Options

The following options are specific to the logscale() destination. But since this destination is based on the http() destination, you can use the options of the http() destination as well if needed.

attributes()

Description: A JSON object representing key-value pairs for the LogScale Event, formatted as AxoSyslog value-pairs. By default, the logscale() destination sends the RFC5424 fields as attributes. If you want to send different fields, override the default template.

content-type()

Description: The content-type of the HTTP request.

extra-headers()

Description: Extra headers for the HTTP request.

rawstring()

Description: Accepts a template that you can use to format the LogScale event.

timestamp()

Description: The timestamp added to the LogScale event.

timezone()

Description: The timezone of the event.

url()

Description: The URL of the LogScale Ingest API.