How to edit sending messages with Rsyslog

rsyslog

I have a rsyslog server that sends messages.

I wonder, is it possible that I can edit any of the data I forward?

In other words, one of the logs I send includes the following information:

<13>Nov 29 08:00:00 localhost CEF: 0|212|656|1|1|Bot Access Control|4| fileId=739000180002315518 sourceServiceName=

And I would be interested in changing the host name, for example. From localhost to HOST01

<13>Nov 29 08:00:00 HOST01 CEF: 0|212|656|1|1|Bot Access Control|4| fileId=739000180002315518 sourceServiceName=

I have no control over where the logs are received, only the delivery.

Best Answer

You can do this using property replacers working on the msg property, assuming this is where the string localhost is found.

Put in your rsyslog.conf or similar a line defining a template called, say, newmsg:

$template newmsg,"%timestamp% %programname% %msg:R,ERE,1:(.*) localhost --end% HOST01 %msg:R,ERE,1: localhost (.*)--end%\n"

To make this more readable here it is split over several lines, but you must use the above version:

$template newmsg,
 "%timestamp% %programname% 
  %msg:R,ERE,1:(.*) localhost --end%
  HOST01 
  %msg:R,ERE,1: localhost (.*)--end%
 \n"

This contains 2 uses of a replacer like this: %msg:R,ERE,1: ...(...)... --end% where %msg% is the property used as input for a regexp R, extended regexp ERE, keep only capture group 1, followed by the regexp pattern which has a capture group (), with the replacer ended by --end.

Since this template always adds the word HOST01 to the message you should only use it if the message actually contains localhost, so edit the action where you log the message to test for this, eg:

:msg, contains, " localhost "      -/var/log/test.log; newmsg

Note the use of the template at the end: ; newmsg.

You can use templates when sending to a remote too, eg:

action(type="omfwd" 
 Target="server.example.net"
 Port="10514"
 Protocol="tcp"
 Template="newmsg"
)
Related Topic