[rsyslog] How to eliminate Solaris specific msg ID

Tue, 31 Jan 2023 07:10:32 -0800 

Follow up:

This field is prepended to all messages sent through the log(4D) device on 
Solaris, as documented in the syslogd(8) and log(4D) man pages, before they hit 
rsyslogd.

However, I'll work on using rsyslogd's property replacer mechanism to modify 
the %msg property to remove this field via a template when appropriate.

From: Gordon Marler (BLOOMBERG/ 120 PARK) At: 01/30/23 12:38:42 UTC-5:00To:  
RSYSLOG@LISTS.ADISCON.COM
Subject: How to eliminate Solaris specific msg ID
Noticing that all messages logged from Solaris rsyslog clients have a field in 
all messages that rsyslog on AIX and Linux don't have:

Jan 30 12:12:16 nydevsol10     root: [ID 702911 user.info] This is a test
                                     ^^^^^^^^^^^^^^^^^^^^^

I tried to see where that field is coming from, and how to eliminate/alter it, 
by using the RSYSLOG_DebugFormat template:

*.* {
  action( type="omfile"
          file="/var/log/template_tests.log"
          template="RSYSLOG_DebugFormat")
}

Here's the output from that for an example message:

Debug line with all properties:
FROMHOST: '', fromhost-ip: '', HOSTNAME: 'nydevsol10', PRI: 14,
syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', MSGID: 
'-',
TIMESTAMP: 'Jan 30 12:12:16', STRUCTURED-DATA: '-',
msg: ' [ID 702911 user.info] This is a test'
escaped msg: ' [ID 702911 user.info] This is a test'
inputname: imsolaris rawmsg: 'Jan 30 12:12:16 root: [ID 702911 user.info] This 
is a test'
$!:
$.:
$/:

So even though only 'This is a test' was logged to rsyslogd, it appears that 
the msg passed into the input module was altered to be ' [ID 702911 user.info] 
This is a test'.

Is that right?

Is there a way to prevent this from being prepended to all our messages, or 
reformat it?

Gordon
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to