Can we avoid to_syslog_ietf to include all fields in forwarded message

View thread

Whok1996
Hello everyone, I'm new to _NXLOG_ and I'm trying to understand how event creation and forwarding work. I have a question about the parse_json() function or maybe the to_syslog_ietf() function, I'm not sure. Is it possible to use `parse_json($Message)` then `to_syslog_ietf()` to forward `$Message` without all the fields obtained with parse_json included in the forwarded syslog event? Here are more explanations: - I receive a syslog event and use `parse_syslog_ietf()` - I get `$Message` which is json formated, so I use `parse_json($Message)` - As I want to forward a specific field (let's say _MsgToForward_) I define `$Message = $MsgToForward` - Then use `to_syslog_ietf` to forward it through syslog. In the forwarded event everything is ok, except that all the fields in the json (the original $Message field) are included in the forwarded message. But I don't understand why because if I put a `log_info($raw_event)` after the parse_syslog and after the parse_json, $raw_event has not changed. So is it to_parse-ietf() function which includes all the fields available? Can we avoid that? For instance the original event is: ``` 2020-12-29 03:05:19 INFO 1 2020-12-29T03:05:19.692869 admin-PC send-logs 3556 send-logs.exe - {"user":"NT AUTHORITY\\SYSTEM","name":"main","programSource":"send-logs","msgToForward":"Send-logs started"}; ``` Then the forwarded message: ``` 2020-12-29 03:05:19 INFO 1 2020-12-29T03:05:19.692869 admin-PC send-logs 3556 send-logs.exe [NXLOG@14506 MessageSourceAddress="127.0.0.1" EventReceivedTime="2020-12-29 03:05:19" SourceModuleName="inSyslog" SourceModuleType="im_udp" user="NT AUTHORITY\\SYSTEM" name="main" programSource="send-logs" msgToForward="Send-logs started"] Send-logs started ``` We can see the fields available in the json in the first event (user, name, programSource and msgToForward) are added in the second event. But there are useless here, so I'm trying to have this result : ``` 2020-12-29 03:05:19 INFO 1 2020-12-29T03:05:19.692869 admin-PC send-logs 3556 send-logs.exe [NXLOG@14506 MessageSourceAddress="127.0.0.1" EventReceivedTime="2020-12-29 03:05:19" SourceModuleName="inSyslog" SourceModuleType="im_udp"] Send-logs started ``` Is there a way to avoid parse_json or to_syslog_ietf to add these fields? (The number of fields and their names are not always the same.) Or should I just not use parse_json and use `regexp` instead to get the value of MsgToForward? My configuration if needed. ``` Module im_udp Host 127.0.0.1 Port 514 Module om_udp Host 127.0.0.1 Port 1514 Exec parse_syslog_ietf(); parse_json($Message); $Message = $MsgToForward; to_syslog_ietf(); Path inSyslog => outSyslog2 ``` Any help is welcomed. Thank you :) Whok.