[rsyslog-notify] Forum Thread: Removing <PRI> in a forwarded syslog message - (Mode 'post')

[noreply at adiscon.com]

User: smartdave 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25964#p25964

Message: 
----------
Good evening

I am trying to configure rsyslog to forward inbound syslog messages to an
upstream server and having issue with the <PRI> Field

The inbound message looks like:

Sep 29 22:08:45 XTM_2_Series (2015-09-30T02:08:45) firewall:
msg_id="3000-0148" Allow 1-Trusted 0-External 70 udp 20 127 192.168.30.2
8.8.8.8 54358 53  (DNS-00)

and my rsyslog template is:

$template myfmt, "[][][%fromhost-ip%][][] %rawmsg%\n"

The issue is I am getting the PRI field included in the outbound relay:

This is what is received by the upstream system

<118>Sep 29 22:08:45 XTM_2_Series (2015-09-30T02:08:45) firewall:
msg_id="3000-0148" Allow 1-Trusted 0-External 70 udp 20 127 192.168.30.2
8.8.8.8 54358 53  (DNS-00)

How do I remove the <value> in the beginning.

I tried using the following template:

$template myfmt, "[][][%fromhost-ip%][][] %rawmsg:6:$%\n"

Which does work but my concern is that will always remove <118> but.... 
what is I only get a 2 digit PRI such as <12>.  What happens then?  does it
strip the first letter off the Month?

How can I remove the <PRI> field in the forwarded messages?

I tried using %msg% but that strips off a bunch of the first parts of the
message which I need.



Thanks for the help

Dave