[rsyslog-notify] Forum Thread: Re: Removing <PRI> in a forwarded syslog message - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Wed Sep 30 06:07:17 CEST 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25967#p25967
Message:
----------
if you are sending it from rsyslog with the config:
$template myfmt, "[][][%fromhost-ip%][][] %rawmsg%\n"
*.* @xxx.xxx.xxx.xxx:514;myfmt
and the original message over the wire is:
<pri>Sep 29 22:08:45 XTM_2_Series (2015-09-30T02:08:45) firewall:
msg_id="3000-0148" Allow 1-Trusted 0-External 70 udp 20 127 192.168.30.2
8.8.8.8 54358 53 (DNS-00)
then what you are sending is
[][][ipaddress][][]<pri>Sep 29 22:08:45 XTM_2_Series (2015-09-30T02:08:45)
firewall: msg_id="3000-0148" Allow 1-Trusted 0-External 70 udp 20 127
192.168.30.2 8.8.8.8 54358 53 (DNS-00)
probably the kiwi server is deciding that all the [] related stuff is
garbage and ignoring it.
since the <pri> is part of the rawmsg, when you define a template with
rawmsg in it, it's going to include that (after the other stuff in front)
on your syslog server, log to a local file with the template and you will
see exactly what you are sending. log with RSYSLOG_DebugFormat and you will
see what all the variables contain that you are using to craft your
outbound message.
since what you are crafting is not a valid syslog message, when you send it
to a receiver expecting a properly formatted syslog message, all bets are
off.
What does your SIEM what to receive? If it wants to receive a syslog
message, why are you reformatting it? if it's some other format, if you can
document what that format is, we can help you craft it.
More information about the rsyslog-notify
mailing list