So I would deeply appreciate feedback for improving this mapping.
In the following mapping, the cee field name is first, the rsyslog property second.
Fields we can always map:
- srchost -> hostname
- time -> timestamp (rsyslog currently populates subseconds, what seems not to be supported in lumberjack)
- msg -> msg (initially used rawmsg, but decided against this)
- pid -> procid (may not actually be a Linux process ID)
- proc -> app-name
- level -> generated based on syslog severity (value mapping see below)
- emergency(0) -> FATAL
- alert(1), critical(2), error(3) -> ERROR
- warning(4) -> WARN
- notice(5), informational(6) -> INFO
- debug(7) -> DEBUG
- (never mapped) -> TRACE
Note that these fields may or may not be present inside a JSON/BSON document.
- ppid -> parent process ID (SCM_CREDENTIALS, local only?)
- uid -> (SCM_CREDENTIALS, local only?)
- gid -> (SCM_CREDENTIALS, local only?)
- tid -> thread ID (questionable, can probably not provided with current logging API)