Where does the < 14 > come from? | Log collection solutions

#1 TK_276781 3 years ago

Hi,

we are using NXlog to forward syslog messages, which works fine. But we have that strange <14> in the forwarded message:

3.127.197.211 **<14>**2020-10-13 09:58:54,443   message

Konfig:

<Input syslog514udp>
    Module       im_udp
    Port         514
    Host         0.0.0.0
</Input>
 
<Output eventsentry>
    Module      om_udp
     Host        dstserver.domain.com
     Port        514
     Exec        $raw_event = $MessageSourceAddress + " " + $raw_event;
</Output>

Does anyone know why that happens?

Thanks, Thomas

Permalink

#2 konstantinos Nxlog ✓ 3 years ago

#1 TK_276781

Hi, we are using NXlog to forward syslog messages, which works fine. But we have that strange <14> in the forwarded message: 3.127.197.211 **<14>**2020-10-13 09:58:54,443 message Konfig: <Input syslog514udp> Module im_udp Port 514 Host 0.0.0.0 </Input> <Output eventsentry> Module om_udp Host dstserver.domain.com Port 514 Exec $raw_event = $MessageSourceAddress + " " + $raw_event; </Output> Does anyone know why that happens? Thanks, Thomas

Hi,

You might be reading an event containing "priority" as defined in RFC 3164 <Priority> = Facility * 8 + Severity. In your example, <14> = 1(userlevel) * 8 + 6(info).

If you want to get rid of that in your output, I see two options:

Chop the initial <##> field by using a regex similar to this:

    <Exec>
      parse_syslog();
      if $raw_event =~ /^<\d+>(.*)/ { $raw_event = $MessageSourceAddress + " " + $1; }
      else  { $raw_event = $MessageSourceAddress + " " + $raw_event; }
    </Exec>

Restructure the message using the desired syslog fields, omitting $priority similar to this:

    <Exec>
             parse_syslog();      
             $raw_event = $MessageSourceAddress + " " +$EventTime + " " + $Hostname + " " + $SourceName + " " + '[' + $ProcessID + ']: ' + $Message;
    </Exec>

Thanks, Konstantinos