[rsyslog-notify] Forum Thread: Can't get <PRI> to display - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Fri Jan 1 00:44:48 CET 2016
User: techcheez
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26266#p26266
Message:
----------
I am running rsyslog version 8.15.0 and can't seem to get it to display the
<PRI> attribute at the beginning of each line being saved. I'm sending
syslog data over from a Cisco ASA firewall and tried modifying the
$ActionFileDefaultTemplate line to RSYSLOG_SyslogProtocol23Format and also
tried creating a template:
[code:1zi9cdkf]template(name="ForwardFormat" type="list") {
constant(value="<")
property(name="pri")
constant(value=">")
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag" position.from="1" position.to="32")
property(name="msg" spifno1stsp="on" )
property(name="msg")
}
[/code:1zi9cdkf]
and set the line to $ActionFileDefaultTemplate ForwardFormat
This didn't work either. I'm seeing the following output in my log files
and it's causing issues with logstash not being able to parse without the
<PRI> attribute.
2015-12-31T17:41:50.242580-06:00 HOSTNAME %ASA-4-106023: Deny udp src
outside:x.x.x.x/36251 dst inside:x.x.x.x/19138 by access-group "X" [0x0,
0x0]
More information about the rsyslog-notify
mailing list