From 017df9999b144c819dec297d916bee52f12c45dc Mon Sep 17 00:00:00 2001
From: David Laing <david@davidlaing.com>
Date: Fri, 16 Jan 2015 11:51:42 +0000
Subject: [PATCH 1/2] Add ability to send syslog rfc5424 structured_data

---
 lib/logstash/outputs/syslog.rb | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/logstash/outputs/syslog.rb b/lib/logstash/outputs/syslog.rb
index 416745d..9fc0c3a 100644
--- a/lib/logstash/outputs/syslog.rb
+++ b/lib/logstash/outputs/syslog.rb
@@ -80,9 +80,11 @@ class LogStash::Outputs::Syslog < LogStash::Outputs::Base
   # message id for syslog message
   config :msgid, :validate => :string, :default => "-"
 
+  # structured data for syslog message (rfc5424 only)
+  config :structured_data, :validate => :string, :default => "-"
+
   # syslog message format: you can choose between rfc3164 or rfc5424
   config :rfc, :validate => ["rfc3164", "rfc5424"], :default => "rfc3164"
-
   
   public
   def register
@@ -127,9 +129,10 @@ def receive(event)
       timestamp = event.sprintf("%{+MMM dd HH:mm:ss}")
       syslog_msg = "<"+priority.to_s()+">"+timestamp+" "+sourcehost+" "+appname+"["+procid+"]: "+event["message"]
     else
-      msgid = event.sprintf(@msgid)
+      msgid = event.sprintf(@msgid) 
+      structured_data = "[LOGSTASH@#{LOGSTASH_VERSION} #{event.sprintf(@structured_data)}]" unless @structured_data == '-'
       timestamp = event.sprintf("%{+YYYY-MM-dd'T'HH:mm:ss.SSSZ}")
-      syslog_msg = "<"+priority.to_s()+">1 "+timestamp+" "+sourcehost+" "+appname+" "+procid+" "+msgid+" - "+event["message"]
+      syslog_msg = "<"+priority.to_s()+">1 "+timestamp+" "+sourcehost+" "+appname+" "+procid+" "+msgid+" "+structured_data+" "+event["message"]
     end
 
     begin

From cff51b0a9e8f321d6f357594bc27b79ebff4090a Mon Sep 17 00:00:00 2001
From: David Laing <david@davidlaing.com>
Date: Wed, 21 Jan 2015 16:32:09 +0000
Subject: [PATCH 2/2] Don't hardcode LOGSTASH@LOGSTASH_VERSION as the
 structured data enterprise number.

---
 lib/logstash/outputs/syslog.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/logstash/outputs/syslog.rb b/lib/logstash/outputs/syslog.rb
index 9fc0c3a..7b7623e 100644
--- a/lib/logstash/outputs/syslog.rb
+++ b/lib/logstash/outputs/syslog.rb
@@ -130,7 +130,7 @@ def receive(event)
       syslog_msg = "<"+priority.to_s()+">"+timestamp+" "+sourcehost+" "+appname+"["+procid+"]: "+event["message"]
     else
       msgid = event.sprintf(@msgid) 
-      structured_data = "[LOGSTASH@#{LOGSTASH_VERSION} #{event.sprintf(@structured_data)}]" unless @structured_data == '-'
+      structured_data = "[#{event.sprintf(@structured_data)}]" unless @structured_data == '-'
       timestamp = event.sprintf("%{+YYYY-MM-dd'T'HH:mm:ss.SSSZ}")
       syslog_msg = "<"+priority.to_s()+">1 "+timestamp+" "+sourcehost+" "+appname+" "+procid+" "+msgid+" "+structured_data+" "+event["message"]
     end