- sys - name of the system the message originated from (STRING)
- time - timestamp from the syslog message (UTC_DATETIME)
- time_rcvd - timestamp when the rsyslog instance received the message (UTC_DATETIME)
- msg - the free-form message text (STRING)
- syslog_fac - the syslog facility in numerical form, see RFC5424 to decode (INT32)
- syslog_sever - the syslog severity in numerical form, see RFC5424 to decode (INT32)
- syslog_tag - the traditional syslog tag (STRING)
- procid - the name of the process that emitted the message (STRING)
- pid - the process id of the the process that emitted the message (STRING)
- level - a severity level based on the lumberjack schema definition (STRING)
Note that the default schema currently does NOT contain data obtained by parsing cee-enhanced syslog JSON part of the message. Current thinking is that we probably best include this as a sub-elements, maybe together with other structured data like RFC5424 structured data. This is currently being worked on. It's less missing time to implement but the desire to avoid re-doing things as the spec changes. Anyhow, I'll probably have a "timeout" after which I will implement at least some idea (after all, not too much work will be lost if things change).
If you use this schema, please keep in mind that it is experimental. At this stage I will not try to remain backwards compatible when I do changes. So excpect that newer versions may break your things!