From 66599fc38093a9810d1b6103c234e8cb51ae4b8e Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Mon, 25 Mar 2019 21:39:56 +0100
Subject: [PATCH] Support structured messages

---
 systemd-journal-gelf | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/systemd-journal-gelf b/systemd-journal-gelf
index 1d622b7..2b7ac5f 100644
--- a/systemd-journal-gelf
+++ b/systemd-journal-gelf
@@ -69,16 +69,25 @@ if (-e $conf->{state}){
   }
 }
 
-open JOURNAL, "journalctl -f -o json$cursor_arg |";
+open JOURNAL, "/usr/bin/journalctl -f -o json$cursor_arg |";
 while (my $entry = <JOURNAL>){
   my $msg = from_json($entry);
   my $gelf = {
-    version => 1.1,
-    short_message => $msg->{MESSAGE},
-    host => $msg->{_HOSTNAME},
-    timestamp => int ($msg->{__REALTIME_TIMESTAMP} / (1000 * 1000)),
-    level => $msg->{PRIORITY}
+    version        => 1.1,
+    short_message  => $msg->{MESSAGE},
+    host           => $msg->{_HOSTNAME},
+    timestamp      => int ($msg->{__REALTIME_TIMESTAMP} / (1000 * 1000)),
+    level          => $msg->{PRIORITY}
   };
+  # Now lets look at the message. If it starts with gelf: we can split it and have further
+  # fields to send. I use this to handle httpd or nginx logs for example
+  if ($msg->{MESSAGE} =~ m/^gelf:([a-zA-Z\d]+=([^\|])\|?)+/){
+    $msg->{MESSAGE} =~ s/^gelf://;
+    foreach (split /\|/, $msg->{MESSAGE}){
+      my ($key,$val) = split /=/, $_;
+      $gelf->{'_' . lc $key} = $val;
+    }
+  }
   foreach (grep !/^MESSAGE|_HOSTNAME|__REALTIME_TIMESTAMP|PRIORITY$/,  keys %$msg){
     my $key = lc (($_ =~ m/^_/) ? $_ : '_' . $_);
     $gelf->{$key} = $msg->{$_};