fluent-plugin-remote_syslog icon indicating copy to clipboard operation
fluent-plugin-remote_syslog copied to clipboard

Published 20 hours ago verified publisher icon fluent-plugins-nursery

Using the remote syslog plugin, is there a way to get the original syslog message - without the tag / hostname / timestamp ?

Open jtsmith342 opened this issue 2 years ago • 0 comments

When using the remote syslog plugin, it injects a new timestamp, a new tag (fluentd by default) and the hostname fields. My understanding is as follows:

  • the timestamp is for the time the event is forwarded by the Syslog Server to the Remote Syslog server
  • the tag is fluentd, by default
  • the hostname is the syslog server forwarding the events to this Remote Syslog Server

Is there a way to strip / transform the record at the Remote Syslog Server ? So for instance, I'd like to remove the fluentd tag. I'd like the timestamp and host to match what is in the body of the message. Please refer to the screenshot below. I'd like to get rid of the items in red and use the items in green instead.

My config is as follows:

##########
# INPUTS #
##########
# udp syslog
<source>
  @type syslog
  <transport udp>
  </transport>
  bind 0.0.0.0
  port 514
  tag syslog
  <parse>
    @type none
    message_format auto
    with_priority true
  </parse>
</source>

###########
# OUTPUTS #
###########
<match syslog**>
  @type copy
  <store>
    @type file
    path /var/log/td-agent/syslog
    compress gzip
  </store>
  <store>
     @type forward
     <server>
       host 192.168.0.2
       port 514
     </server>
  </store>
  <store>
     @type remote_syslog
     host 192.168.0.3
     port 514     
  </store>
</match>

The output as received by Kiwi Syslog is as shown - image

Any inputs / suggestions / recommendations are welcome.

jtsmith342 avatar Dec 07 '22 17:12 jtsmith342