How To Get Ride of "<134>1" On Log Line #4854
Replies: 1 comment
-
flags(no-parse) tells syslog-ng to avoid parsing completely, and to put the entire incoming message into $MSG, without changing it in any way. flags(store-raw-message) tells syslog-ng to store the original message into $RAWMSG regardless of any parsing performed. If you use both, that means that both $MSG and $RAWMSG will be set to the same value. With that said, what you see as "<134>1" is a syslog header that the client sends to syslog-ng. To get rid of that, you can use one of two strategies:
The issue in your specific case is that your message is in an invalid format. The "1" after the <134> indicates that this is actually an RFC5424 style message, but at the end it does not match the required syntax. Since the builtin parser does not cope with this, you will need to use 2) above, e.g. have it parsed using regexes for example. |
Beta Was this translation helpful? Give feedback.
-
Hello,
I'm running into a problem where I need to store the just the message without anything else appended. I was able to remove things like the time/date but this <134>1 is stubbornly persisting. I'll list what I've done below then attach my config file.
At this point I'm completely confused. I don't know how else to get rid of this. Any assistance?
Example Log Line
<134>1 1710475219.262728457 XXX urls src=XXX dst=XXX mac=XX request: UNKNOWN XXX
Config File
`
@Version: 3.35
@include "scl.conf"
#some global options.
options {
chain_hostnames(off);
flush_lines(0);
keep_hostname(yes);
use_dns(no);
use_fqdn(no);
dns_cache(no);
owner("root");
group("adm");
perm(0640);
stats_freq(3600);
};
#define syslog source
source s_net { udp(ip(192.168.X.XXX) port(514) flags(no-parse, store-raw-message)); };
#create individual filters to match each of the role categories
filter f_XXX_urls { match("urls" value ("MESSAGE")); };
filter f_XXX_security_events { match("security_event" value ("MESSAGE")); };
filter f_XXX_ids-alerts { match("ids_alerted" value ("MESSAGE")); };
filter f_XXX_flows { match("flows" value ("MESSAGE")); };
template t_log {
template("${RAWMSG}\n");
#I've also tried template("${MESSAGE}\n");
template_escape(no);
};
#define individual destinations for each of the role categories
destination df_XXX_urls { file("/var/log/syslog-ng/XXX.log" template(t_log)); };
destination df_XXX_security_events { file("/var/log/syslog-ng/XXX.log" template(t_log)); };
destination df_XXX_alerts { file("/var/log/syslog-ng/XXX.log" template(t_log)); };
destination df_XXX_flows { file("/var/log/syslog-ng/XXX.log" template(t_log)); };
#bundle the source, filter, and destination rules together with a logging rule for each role category
log { source ( s_net ); filter( f_XXX_urls ); destination ( df_XXX_urls ); };
log { source ( s_net ); filter( f_XXX_security_events ); destination ( df_XXX_security_events ); };
log { source ( s_net ); filter( f_XXX_ids-alerts ); destination ( df_XXX_ids-alerts ); };
log { source ( s_net ); filter( f_XXX_flows ); destination ( df_XXX_flows ); };
`
Beta Was this translation helpful? Give feedback.
All reactions