I am looking to log some troubleshooting info from a DataPower Appliance into a syslog.
Although it is already logging, I have a third party solution that requires some modification to the messages, so it can understand and classify the contents of the log file.
Is there a way that the syslog daemon can change the content of what DataPower (or any other syslog client) is sending to it before putting it into the log file?
Best Answer
rsyslog has a templating system allowing you to do customize the logging format generated (http://www.rsyslog.com/doc/v8-stable/configuration/templates.html) you will need to use the property replacer to manipulate your text (http://www.rsyslog.com/doc/v8-stable/configuration/property_replacer.html) and use a filter (http://www.rsyslog.com/doc/v8-stable/configuration/filters.html) to select your messages.
I did an example on an old CentOS VM which I had handy. It simply swaps around the two comma separated parts of kernel messages such as this one:
Jan 4 2016 17:21:00 VMHOST imklog 5.8.10, log source = /prog/kmsg started.and writes the altered message to /var/log/testmsg.
$template swapAround,"%TIMESTAMP::date-rfc3339% %HOSTNAME% %syslogtag% %msg:R:log.source.[^.]--end%, %msg:r:[^,]--end%\n" :programname, contains, "kernel" /var/log/testmsg;swapAroundNote that it is a bit clunky since it was for an old version of rsyslog where the property replacer lacks the newest features. (And I used the legacy format for the definitions which is less readable.)