[rsyslog-notify] Forum Thread: Re: Removing <PRI> in a forwarded syslog message - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Wed Sep 30 07:29:37 CEST 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25970#p25970
Message:
----------
look at the property replacer documentation, you may be able to do
something with fields, but you may be better off doing something like the
following (if you are running a new enough rsyslog)
set $.meg = exec_template("RSYSLOG_TraditionalFileFormat");
$template myfmt,
"[][][%fromhost-ip%][%timegenerated:::date-unixtimestamp%][] %$.msg%\n"
this will use the fast built-in format to write the string in the
traditional file format, which has everything but the PRI info, and then in
the template, as a bonus I sets the timestamp in case the SIEM uses it in
the future.
It's odd that the SIEM doesn't care about the severity of the message (that
and the facility are what are in the PRI info that it's having you throw
away)
More information about the rsyslog-notify
mailing list