I have this rsyslog configuration:
$template f_x,"/path/%programname%.%$YEAR%%$MONTH%%$DAY%%$HOUR%.log"
if $programname == 'xyz' and $msg contains 'Hello World' or $msg contains 'FATAL'
then $msg = 'Starting xyz' ?f_x
& ~
How can I change in this configuration my receive $msg property from 'Hello World' to $msg = 'BlaBlaBla' and write to file (%programname%.%$YEAR%%$MONTH%%$DAY%%$HOUR%.log) the last $msg value
Thanks in advance
You can't override the msg property.
Starting with rsyslog 7, you can do the trick by using CEE/lumberjack properties with a custom template. Here is an example:
# Notice the use of $!msg in template string
template(name="logline" type="string"
string="%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%$!msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
# If the message matches your conditions, set $!msg to your custom string
if ($programname == 'xyz' and $msg contains 'Hello World' or $msg contains 'FATAL') then set $!msg = "Starting xyz";
# Otherwise, use the msg property value
else set $!msg = $msg;
# Finally, use the custom template
action(type="omfile" file="/tmp/logfile" template="logline")
For more information about CEE/lumberjack properties in rsyslog, see http://www.rsyslog.com/how-to-set-variables-in-rsyslog-v7/.