Neither syslogd nor rsyslogd add this - it's Solaris' log device driver that's
adding this to the beginning of each message.
So, need to fall back on rsyslogd's capability of using property replacers to
dynamically edit every message with a regex to remove text of the following
form from every %msg% property:
[ID <digits> <facility>.<priority>]
This would seem to require a property replacer regex of the general form:
%msg:R,ERE,1,FIELD:.+?\[ID[^]]+?\](.+)$:--end%
The regex should:
- Look for any chars/whitespace before the first '[': .+?
- match '[ID' non-greedily followed by not ']' chars: \[ID[^]]+?
- match the closing ']' of the string we want to delete: \]
- match and capture any chars that we actually want to keep: (.+)$
The Regex tool doesn't seem to match that regex, so something is probably wrong
with my regex.
Just not seeing examples of:
- crafting a regex for a property replacer used in this way (removing part of
what you match)
- creating a template that uses this kind of property replacer in RainerScript
format
There are template/property replacer examples, to be sure - just not one for
this use case that I can see.
GM
From: da...@lang.hm At: 01/31/23 10:12:08 UTC-5:00To: Gordon Marler
(BLOOMBERG/ 120 PARK ) , rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] How to eliminate Solaris specific msg ID
Look through the man page for the solaris syslog daemon, there is probably a
way
to tell it to not add this.
Or you could run rsyslog on solaris instead of it's syslog daemon and avoid the
problem that way :-)
David Lang
On Tue, 31 Jan 2023, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog wrote:
> Follow up:
>
> This field is prepended to all messages sent through the log(4D) device on
Solaris, as documented in the syslogd(8) and log(4D) man pages, before they hit
rsyslogd.
>
> However, I'll work on using rsyslogd's property replacer mechanism to modify
the %msg property to remove this field via a template when appropriate.
>
> From: Gordon Marler (BLOOMBERG/ 120 PARK) At: 01/30/23 12:38:42 UTC-5:00To:
RSYSLOG@LISTS.ADISCON.COM
> Subject: How to eliminate Solaris specific msg ID
> Noticing that all messages logged from Solaris rsyslog clients have a field
in all messages that rsyslog on AIX and Linux don't have:
>
> Jan 30 12:12:16 nydevsol10 root: [ID 702911 user.info] This is a test
> ^^^^^^^^^^^^^^^^^^^^^
>
> I tried to see where that field is coming from, and how to eliminate/alter
it, by using the RSYSLOG_DebugFormat template:
>
> *.* {
> action( type="omfile"
> file="/var/log/template_tests.log"
> template="RSYSLOG_DebugFormat")
> }
>
> Here's the output from that for an example message:
>
> Debug line with all properties:
> FROMHOST: '', fromhost-ip: '', HOSTNAME: 'nydevsol10', PRI: 14,
> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', MSGID:
'-',
> TIMESTAMP: 'Jan 30 12:12:16', STRUCTURED-DATA: '-',
> msg: ' [ID 702911 user.info] This is a test'
> escaped msg: ' [ID 702911 user.info] This is a test'
> inputname: imsolaris rawmsg: 'Jan 30 12:12:16 root: [ID 702911 user.info]
This is a test'
> $!:
> $.:
> $/:
>
> So even though only 'This is a test' was logged to rsyslogd, it appears that
the msg passed into the input module was altered to be ' [ID 702911 user.info]
This is a test'.
>
> Is that right?
>
> Is there a way to prevent this from being prepended to all our messages, or
reformat it?
>
> Gordon
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
