[rsyslog-notify] Forum Thread: Re: How to display ip-address of relaying host - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Wed Nov 11 19:59:59 CET 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26133#p26133
Message:
----------
so you want to record both the original source of the message and the id of
the host doing the relay.
you can't do this in a standard syslog message because it just doesn't have
places for both fields. What you can do is to format the message portion as
JSON at the relay and add metadata there, then decode the JSON on the
receiving system to be able to recreate the original if needed or do
whatever you need to with the metadata.
for example, on my relay boxes, I do
$template structured_forwarding,"<%pri%>%$.timestamp% %$.hostname%
%$.syslogtag% @cee:%$!%\n"
set $!trusted!origserver = $fromhost-ip;
set $!trusted!edge!syslogtag = $.syslogtag;
set $!trusted!edge!hostname = $.hostname;
set $!trusted!edge!facility = $syslogfacility-text;
set $!trusted!edge!severity = $syslogseverity-text;
set $!trusted!edge!time = $timegenerated;
set $!trusted!edge!relay = $$myhostname;
set $!trusted!edge!input = $inputname;
then on the central system I can use mmjsonparse to extract all the values
and build what I need to from there.
David Lang
More information about the rsyslog-notify
mailing list