Merge pull request #13519 from lchapman4/patch-4

Update use-tcp-endpoint-forward-logs-new-relic.mdx
newrelic · Jun 14, 2023 · 29624ee · 29624ee
2 parents bc0c650 + cc4c58b
commit 29624ee
Showing 1 changed file with 32 additions and 3 deletions.
diff --git a/src/content/docs/logs/log-api/use-tcp-endpoint-forward-logs-new-relic.mdx b/src/content/docs/logs/log-api/use-tcp-endpoint-forward-logs-new-relic.mdx
@@ -74,12 +74,41 @@ To forward logs to New Relic with `rsyslog` for Amazon Linux, Redhat, and Centos
           StreamDriverMode="1"
    )
    ```
-6. Restart the `rsyslog` service by running:
+6. (Optional): Add custom attributes to your `syslog` data.
+
+ To make your `syslog` data consistent with the rest of your telemetry data, you can add custom attributes. There are two ways to do this:
+
+   * **Add custom attributes directly in the template string.** You'll need to escape the double quotes (`"`) for the string values. For example:
+
+   `[<STRUCTURED_DATA_ID> <ATTR_NAME_1>="<ATTR_VALUE_1>" <ATTR_NAME_2>="<ATTR_VALUE_2>" ...]`
+
+   ```properties
+   template(name="newrelic-rfc5424"
+            type="string"
+            string="YOUR_LICENSE_KEY <%pri%>%protocol-version% %timestamp:::date-rfc3339% %hostname% %app-name% %procid% %msgid% [someId environment=\"prod\" region=\"US\"] %msg%\n"
+   )
+   ```
+
+   * **Add custom attributes using a custom property variable in the template string.** This method avoids the need to escape string values.
+
+   ```properties
+   template(name="newrelic-rfc5424"
+            type="string"
+            string="YOUR_LICENSE_KEY <%pri%>%protocol-version% %timestamp:::date-rfc3339% %hostname% %app-name% %procid% %msgid% %!custom-structured-data% %msg%\n"
+   )
+
+   set $!custom-structured-data = '[someId1 environment="prod" region="US"][someId2 team="sre" cost-center="123"]';
+   ```
+
+Make sure you replace the `%structured-data%` section in the template string with custom tags/attributes. 
+
+7. Restart the `rsyslog` service by running:
 
    ```bash
    sudo systemctl restart rsyslog
    ```
-7. [Check your New Relic account](/docs/logs/log-management/ui-data/explore-your-data-log-analytics) for logs.
+
+8. [Check your New Relic account](/docs/logs/log-management/ui-data/explore-your-data-log-analytics) for logs.
 
 ## Configure rsyslog versions 8 and above with compression (Amazon Linux, Redhat, Centos) [#rsyslog-compression]
 
@@ -244,4 +273,4 @@ To forward logs to New Relic with `syslog-ng`:
 
 <Callout variant="tip">
   If you're running syslog-ng from a Docker container and experience issues, check [balait/syslog image documentation](https://hub.docker.com/r/balabit/syslog-ng/).
-</Callout>
+</Callout>