I am using rsyslog to send all syslog files and few additional application log files to remote syslog server which has syslog-ng server running and it's sending to Splunk using splunk forwarder. My problem is, when rsyslog sending logs to remote syslog server (syslog-ng), in log events it's adding Timestamp and Hostname to it. How do I tell rsyslog to don't add Timestamp and Hostname to any log events? based on my findings, there is a template in rsyslog.conf. where we can define format and other things about log events. I tried that but it didn't work.
in my rsyslog.conf I have entry for template as,
$template noTimeStampFormat,"%syslogtag% %msg%\n"
$ActionFileDefaultTemplate noTimeStampFormat
I restarted syslog service, this change didn't work.
can someone please help me here on how to fix this?
Currently events looks like
<timestamp> <hostname> <tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
Ideal would be,
<tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
Thanks in advance!
This is what worked for me. We use dynaFiles to do hostname based files.
I had a need to remove timestamp and hostname from being prefixed to events already formatted in JSON.
template (name="LOG_TYPE_PATH" type="string"
string="/path/to/your/logs/LOG_TYPE/%HOSTNAME%.log")
template(name="noTimestamp" type="list") {
property(name="syslogtag")
property(name="msg" spifno1stsp="on" )
property(name="msg" droplastlf="on" )
constant(value="\n")
}
if ($hostname contains "10.0.0.17") then {
action(type="omfile" dynaFile="LOG_TYPE_PATH" template="noTimestamp")
}
These links were helpful:
https://serverfault.com/questions/1042248/rsyslog-8-dynafile-with-a-template https://www.rsyslog.com/doc/v8-stable/configuration/templates.html