[rsyslog-notify] Forum Thread: Re: Removing <PRI> in a forwarded syslog message - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Wed Sep 30 05:52:22 CEST 2015
User: smartdave
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25966#p25966
Message:
----------
ok let me add a little more color
The log flow is as follows:
Firewall --> Sends syslog to Rsyslog server --> Kiwi syslog server
I am doing this as a test to get my format right before I replace the kiwi
syslog server with my SIEM
If I sent the logs directly to the SIEM I end up with:
Sep 29 22:08:45 XTM_2_Series (2015-09-30T02:08:45) firewall:
msg_id="3000-0148" Allow 1-Trusted 0-External 70 udp 20 127 192.168.30.2
8.8.8.8 54358 53 (DNS-00)
Now I know the PRI is there as part of the syslog header but the SIEM
strips it to give me the above message
But when I send the logs into rsyslog then relay using the following
template:
$template myfmt, "[][][%fromhost-ip%][][] %rawmsg%\n"
is it leaving the <pri> as the beginning of the log message
I had thought about a regex expression to strip off the <xxx> and maybe
that is the way to go, but I figured Rsyslog should have a function to not
send it.
Ok my config is as follows (its pretty basic)
$Modload imuxsick
$Modload imklog
$modload immark
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$EscapeControlCharactersOnReceive on
$template myfmt, "[][][%fromhost-ip%][][] %rawmsg%\n"
*.* @xxx.xxx.xxx.xxx:514;myfmt
and thats it
Thanks for the help
More information about the rsyslog-notify
mailing list