Cut out some output fields | Log collection solutions

#1 yuriishatylo 7 years ago

Hello,

Could you please clarify how can I cut out some fields from forwarded event?

My situation is the following;

I have a local log file on the server where installed nxlog agent. Using im_file module I have defined path to file and filename. After that I configured to forward this log to remote syslog server. When I opened forwarded log on the romete syslog server and find out that my log line was changed. It was added time and server name wehere original log file is stored. I have posted a line from the remote server and marked columns which were added during the forwarding.

Jan 12 13:16:28 siem-vm Jan 12 00:01:37 mail2-vm-srv postfix/cleanup[7412]: 6EC1E2A23F9: message-id=<20170111220136.5AE682A23F6>

Can you help me?

Thank you in advance.

Permalink

#2 b0ti Nxlog ✓ 7 years ago

#1 yuriishatylo

Hello, Could you please clarify how can I cut out some fields from forwarded event? My situation is the following; I have a local log file on the server where installed nxlog agent. Using im_file module I have defined path to file and filename. After that I configured to forward this log to remote syslog server. When I opened forwarded log on the romete syslog server and find out that my log line was changed. It was added time and server name wehere original log file is stored. I have posted a line from the remote server and marked columns which were added during the forwarding. Jan 12 13:16:28 siem-vm Jan 12 00:01:37 mail2-vm-srv postfix/cleanup[7412]: 6EC1E2A23F9: message-id=<20170111220136.5AE682A23F6> Can you help me? Thank you in advance.

You are probably missing parse_syslog() but it is hard to tell without seing the actual config.

If the $Message field is not present - which is populated by parse_syslog() - then to_syslog_bsd() will use $raw_event. I assume this is why a new header is added.