Where does the < 14 > come from?

Tags:

#1 TK_276781
Hi, we are using NXlog to forward syslog messages, which works fine. But we have that strange in the forwarded message: 3.127.197.211 ****2020-10-13 09:58:54,443 message Konfig: Module im_udp Port 514 Host 0.0.0.0 Module om_udp Host dstserver.domain.com Port 514 Exec $raw_event = $MessageSourceAddress + " " + $raw_event; Does anyone know why that happens? Thanks, Thomas
#2 konstantinosDeactivated Nxlog ✓
#1 TK_276781
Hi, we are using NXlog to forward syslog messages, which works fine. But we have that strange in the forwarded message: 3.127.197.211 ****2020-10-13 09:58:54,443 message Konfig: Module im_udp Port 514 Host 0.0.0.0 Module om_udp Host dstserver.domain.com Port 514 Exec $raw_event = $MessageSourceAddress + " " + $raw_event; Does anyone know why that happens? Thanks, Thomas
Hi, You might be reading an event containing "priority" as defined in [RFC 3164](https://tools.ietf.org/html/rfc3164#section-4.1.1) = Facility * 8 + Severity. In your example, = 1(userlevel) * 8 + 6(info). If you want to get rid of that in your output, I see two options: - Chop the initial field by using a regex similar to this: ``` parse_syslog(); if $raw_event =~ /^(.*)/ { $raw_event = $MessageSourceAddress + " " + $1; } else { $raw_event = $MessageSourceAddress + " " + $raw_event; } ``` Or - Restructure the message using the desired syslog fields, omitting $priority similar to this: ``` parse_syslog(); $raw_event = $MessageSourceAddress + " " +$EventTime + " " + $Hostname + " " + $SourceName + " " + '[' + $ProcessID + ']: ' + $Message; ``` Thanks, Konstantinos