1
response

Using nxlog in front of logstash on a server.  On the same user, I want to use nxlog to replace rsyslog.  Seems pretty simple.  The only issue is the file format is slightly different than the what rsyslog outputs.  I see:

<78>May  6 13:50:01 CRON[19454]: (root) CMD (   /opt/observium/discovery.php -h new >> /dev/null 2>&1)

vs:

Jul 16 18:00:01 monitor01 CRON[6871]: (root) CMD (   /opt/observium/poller-wrapper.py 16 >> /dev/null 2>&1)

Main difference is the <NN> at the beginning of the line and the missing hostname (monitor01).  Here is my .conf:

<Input in_uds>
    Module    im_uds
    UDS       /dev/log
</Input>

<Input in_kernel>
    Module    im_kernel
</Input>

<Output out>
    Module    om_file
    File      "/var/log/syslog"
</Output>

<Route local_route>
    Path      in_uds, in_kernel => out
</Route>

Is there a simple change I can make to get the desired format?  Thanks.  -- Bud

 

 

AskedMay 6, 2016 - 9:20pm

Answer (1)

I think rsyslog calls that TraditionalFileFormat and the reason most likely is because syslog was (and still is) traditionally split into multiple files such as mail.err, mail.info, mail.warn etc, which is basically the facility and severity encoded in <PRI>.

If you are only interested in the solution the following will strip off <PRI>:

<Output out>
  Module om_file
  File "/var/log/syslog"
  Exec if $raw_event =~ /^<\d+>(.*)/ $raw_event = $1;
</Output>

Note that when you write all output to a single file such as "/var/log/syslog" the severity and facility information is lost. Calling parse_syslog() will put it in $SyslogSeverity and $SyslogFacility that you can then use in the destination filename, or make it appear inside the log, or filter it, etc.