Mimic rsyslog output on Ubuntu
Using nxlog in front of logstash on a server. On the same user, I want to use nxlog to replace rsyslog. Seems pretty simple. The only issue is the file format is slightly different than the what rsyslog outputs. I see:
<78>May 6 13:50:01 CRON[19454]: (root) CMD ( /opt/observium/discovery.php -h new >> /dev/null 2>&1)
vs:
Jul 16 18:00:01 monitor01 CRON[6871]: (root) CMD ( /opt/observium/poller-wrapper.py 16 >> /dev/null 2>&1)
Main difference is the <NN> at the beginning of the line and the missing hostname (monitor01). Here is my .conf:
<Input in_uds> Module im_uds UDS /dev/log </Input> <Input in_kernel> Module im_kernel </Input> <Output out> Module om_file File "/var/log/syslog" </Output> <Route local_route> Path in_uds, in_kernel => out </Route>
Is there a simple change I can make to get the desired format? Thanks. -- Bud
I think rsyslog calls that TraditionalFileFormat and the reason most likely is because syslog was (and still is) traditionally split into multiple files such as mail.err, mail.info, mail.warn etc, which is basically the facility and severity encoded in <PRI>.
If you are only interested in the solution the following will strip off <PRI>:
<Output out> Module om_file File "/var/log/syslog" Exec if $raw_event =~ /^<\d+>(.*)/ $raw_event = $1; </Output>
Note that when you write all output to a single file such as "/var/log/syslog" the severity and facility information is lost. Calling parse_syslog() will put it in $SyslogSeverity and $SyslogFacility that you can then use in the destination filename, or make it appear inside the log, or filter it, etc.
