rsyslog config to store only raw message ($msg) to a file

Asked 4/5, 2016 at 9:30 Answered 11/2, 2020 at 17:11

How can I store only the raw message to a file?
E.g.:
I received a message via rsyslog:

Received syslog message:

May  4 13:18:47 xxxx apache-error: [Wed May 04 13:18:41.256596 2016] [:error] [pid 54583] [client 192.168.30.200:52638] script '/var/www/aaa.php' not found or unable to stat

I need a rsyslog config to extract raw message from input, without syslog header (highlighted bellow):

May 4 13:18:47 xxxx apache-error: [Wed May 04 13:18:41.256596 2016] [:error] [pid 54583] [client 192.168.30.200:52638] script '/var/www/aaa.php' not found or unable to stat

expected Output:

[Wed May 04 13:18:41.256596 2016] [:error] [pid 54583] [client 192.168.30.200:52638] script '/var/www/aaa.php' not found or unable to stat

tnx!

Pebbly answered 4/5, 2016 at 9:30 Comment(0)

You can add a custom template in a rsyslog config file. So in /etc/rsyslog.d, find the config file that configures the log file in question. If you're talking about syslog, then you can add a custom template and change the config line to something like:

$template myFormat,"%msg%\n"
*.*         -/var/log/syslog; myFormat

Also, if you want that template for all your log files, you can add this to your rsyslog config file, and thus you wouldn't have to add the template specifically to your log file line:

$template myFormat,"%msg%\n"
$ActionFileDefaultTemplate myFormat

Zampino answered 4/5, 2016 at 15:25 Comment(1)

tnx @drewyupdrew, ur answer solved my problem. Some useful links: itsol.biz/custom-templates-rsyslog – Pebbly 4/5, 2016 at 19:9

it is recommended to use : $template myFormat,"%msg:2:2048%\n

reference : http://rsyslog-users.1305293.n2.nabble.com/rawmessage-forwarding-doesn-t-appear-to-work-td7482747.html

With %msg:2:2048% the message part of the syslog event starts immediately.

Chuch answered 11/2, 2020 at 17:11 Comment(0)

Received syslog message:

expected Output:

Recommended topics

Hot tags