Can Rsyslog process messages before saving them

rsyslogsyslog

The messages that I'm sending to syslog have some tags like so:

"[date] [text here] tags:tag1,tag2,tag3 [more text here]"

I already have a rule that only saves lines that contain the text "tags:" to a specific file.

It would be great if that file only contained a substring of that message, in this case just the date and the tags part.

Can rsyslog do some processing/manipulation to a message prior to saving it?

Thanks in advance.

Best Answer

Yes, it can. The place to look for information is at the rsyslog documentation for property replacer. If the list of tags is always the same length, you can use substring. Otherwise you'll need to use a regexp, e.g.

%msg:R:.(tags:[\S]+).--end%

Related Solutions

Ubuntu – How to get rsyslogd to log a server’s FQDN instead of it’s short hostname

I ran into this issue as well. Here is how I was able to fix it.

On the clients modify the /etc/hosts file so the desired hostname comes before localhost.

127.0.0.1 hostnameforlogs localhost
On the clients and server modify /etc/rsyslog.conf to include this statement:

$PreserveFQDN on
On the server I used the %HOSTNAME% variable for the templates in rsyslog.conf:

Rsyslog – Relay Only Remotely Received Messages

I can also recommend you nxlog as its configuration allows you to more naturally define the flow what you specified above.

Config skeleton:

<Input udpin>
 Module im_udp
 ...
</Input>

<Output tcpout>
 Module om_tcp
 ...
</Output>

<Route forwarder>
 Path udpin => tcpout
</Route>

Best Answer

Related Solutions

Ubuntu – How to get rsyslogd to log a server’s FQDN instead of it’s short hostname

Rsyslog – Relay Only Remotely Received Messages

Related Topic