[rsyslog-notify] Forum Thread: Re: Removing <PRI> in a forwarded syslog message - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Wed Sep 30 06:22:49 CEST 2015
User: smartdave
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25968#p25968
Message:
----------
Thanks Dlang
So the format my SIEM requires (for this specific example) is the 5
bracketed fields followed by the original syslog message. So a valid
message format that I would like to receive would be
[][][Fromhost-ip][unix time][] syslog message
All I am asking rsyslog to do to an inbound syslog message is to add the 5
bracketed fields with the third bracket having the IP address of the host
sending the logs and the fourth bracketed field being the time the message
was received in unix time, although that field is tossed but there has to
be something in there.
as you pointed out the original message must has the <pri> in it which is
why it is being transfered to the %rawmsg% field.
my question is how can I remove it. I would like something like if the
rawmsg starts with <xxx> or <xx> ignore it and start the rawmsg with what
comes after.
Does that make sense?
Dave
More information about the rsyslog-notify
mailing list