Mailing List Archive

How to eliminate Solaris specific msg ID
Noticing that all messages logged from Solaris rsyslog clients have a field in all messages that rsyslog on AIX and Linux don't have:

Jan 30 12:12:16 nydevsol10 root: [ID 702911 user.info] This is a test
^^^^^^^^^^^^^^^^^^^^^

I tried to see where that field is coming from, and how to eliminate/alter it, by using the RSYSLOG_DebugFormat template:

*.* {
action( type="omfile"
file="/var/log/template_tests.log"
template="RSYSLOG_DebugFormat")
}

Here's the output from that for an example message:

Debug line with all properties:
FROMHOST: '', fromhost-ip: '', HOSTNAME: 'nydevsol10', PRI: 14,
syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Jan 30 12:12:16', STRUCTURED-DATA: '-',
msg: ' [ID 702911 user.info] This is a test'
escaped msg: ' [ID 702911 user.info] This is a test'
inputname: imsolaris rawmsg: 'Jan 30 12:12:16 root: [ID 702911 user.info] This is a test'
$!:
$.:
$/:

So even though only 'This is a test' was logged to rsyslogd, it appears that the msg passed into the input module was altered to be ' [ID 702911 user.info] This is a test'.

Is that right?

Is there a way to prevent this from being prepended to all our messages, or reformat it?

Gordon
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: How to eliminate Solaris specific msg ID [ In reply to ]
Neither syslogd nor rsyslogd add this - it's Solaris' log device driver that's
adding this to the beginning of each message.

So, need to fall back on rsyslogd's capability of using property replacers to
dynamically edit every message with a regex to remove text of the following
form from every %msg% property:

[ID <digits> <facility>.<priority>]

This would seem to require a property replacer regex of the general form:

%msg:R,ERE,1,FIELD:.+?\[ID[^]]+?\](.+)$:--end%

The regex should:

- Look for any chars/whitespace before the first '[': .+?
- match '[ID' non-greedily followed by not ']' chars: \[ID[^]]+?
- match the closing ']' of the string we want to delete: \]
- match and capture any chars that we actually want to keep: (.+)$

The Regex tool doesn't seem to match that regex, so something is probably wrong with my regex.

Just not seeing examples of:

- crafting a regex for a property replacer used in this way (removing part of what you match)
- creating a template that uses this kind of property replacer in RainerScript format

There are template/property replacer examples, to be sure - just not one for this use case that I can see.

GM

From: david@lang.hm At: 01/31/23 10:12:08 UTC-5:00To: Gordon Marler (BLOOMBERG/ 120 PARK ) , rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] How to eliminate Solaris specific msg ID

Look through the man page for the solaris syslog daemon, there is probably a
way
to tell it to not add this.

Or you could run rsyslog on solaris instead of it's syslog daemon and avoid the
problem that way :-)

David Lang

On Tue, 31 Jan 2023, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog wrote:

> Follow up:
>
> This field is prepended to all messages sent through the log(4D) device on
Solaris, as documented in the syslogd(8) and log(4D) man pages, before they hit
rsyslogd.
>
> However, I'll work on using rsyslogd's property replacer mechanism to modify
the %msg property to remove this field via a template when appropriate.
>
> From: Gordon Marler (BLOOMBERG/ 120 PARK) At: 01/30/23 12:38:42 UTC-5:00To:
RSYSLOG@LISTS.ADISCON.COM
> Subject: How to eliminate Solaris specific msg ID
> Noticing that all messages logged from Solaris rsyslog clients have a field
in all messages that rsyslog on AIX and Linux don't have:
>
> Jan 30 12:12:16 nydevsol10 root: [ID 702911 user.info] This is a test
> ^^^^^^^^^^^^^^^^^^^^^
>
> I tried to see where that field is coming from, and how to eliminate/alter
it, by using the RSYSLOG_DebugFormat template:
>
> *.* {
> action( type="omfile"
> file="/var/log/template_tests.log"
> template="RSYSLOG_DebugFormat")
> }
>
> Here's the output from that for an example message:
>
> Debug line with all properties:
> FROMHOST: '', fromhost-ip: '', HOSTNAME: 'nydevsol10', PRI: 14,
> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', MSGID:
'-',
> TIMESTAMP: 'Jan 30 12:12:16', STRUCTURED-DATA: '-',
> msg: ' [ID 702911 user.info] This is a test'
> escaped msg: ' [ID 702911 user.info] This is a test'
> inputname: imsolaris rawmsg: 'Jan 30 12:12:16 root: [ID 702911 user.info]
This is a test'
> $!:
> $.:
> $/:
>
> So even though only 'This is a test' was logged to rsyslogd, it appears that
the msg passed into the input module was altered to be ' [ID 702911 user.info]
This is a test'.
>
> Is that right?
>
> Is there a way to prevent this from being prepended to all our messages, or
reformat it?
>
> Gordon
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
>


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.