2
responses

Hi,

we are using NXlog to forward syslog messages, which works fine. But we have that strange <14> in the forwarded message:

3.127.197.211 **<14>**2020-10-13 09:58:54,443   message

Konfig:

<Input syslog514udp>
    Module       im_udp
    Port         514
    Host         0.0.0.0
</Input>

<Output eventsentry>
    Module      om_udp
     Host        dstserver.domain.com
     Port        514
     Exec        $raw_event = $MessageSourceAddress + " " + $raw_event;
</Output>

Does anyone know why that happens?

Thanks, Thomas

AskedOctober 13, 2020 - 12:10pm

Answer (1)

Hi,

You might be reading an event containing "priority" as defined in RFC 3164 <Priority> = Facility * 8 + Severity. In your example, <14> = 1(userlevel) * 8 + 6(info).

If you want to get rid of that in your output, I see two options:

  • Chop the initial <##> field by using a regex similar to this:
    <Exec>
      parse_syslog();
      if $raw_event =~ /^<\d+>(.*)/ { $raw_event = $MessageSourceAddress + " " + $1; }
      else  { $raw_event = $MessageSourceAddress + " " + $raw_event; }
    </Exec>

Or

  • Restructure the message using the desired syslog fields, omitting $priority similar to this:
    <Exec>
             parse_syslog();      
             $raw_event = $MessageSourceAddress + " " +$EventTime + " " + $Hostname + " " + $SourceName + " " + '[' + $ProcessID + ']: ' + $Message;
    </Exec> 

Thanks, Konstantinos

Comments (1)