Mailing List Archive

How to eliminate Solaris specific msg ID
Follow up:

This field is prepended to all messages sent through the log(4D) device on Solaris, as documented in the syslogd(8) and log(4D) man pages, before they hit rsyslogd.

However, I'll work on using rsyslogd's property replacer mechanism to modify the %msg property to remove this field via a template when appropriate.

From: Gordon Marler (BLOOMBERG/ 120 PARK) At: 01/30/23 12:38:42 UTC-5:00To: RSYSLOG@LISTS.ADISCON.COM
Subject: How to eliminate Solaris specific msg ID
Noticing that all messages logged from Solaris rsyslog clients have a field in all messages that rsyslog on AIX and Linux don't have:

Jan 30 12:12:16 nydevsol10 root: [ID 702911 user.info] This is a test
^^^^^^^^^^^^^^^^^^^^^

I tried to see where that field is coming from, and how to eliminate/alter it, by using the RSYSLOG_DebugFormat template:

*.* {
action( type="omfile"
file="/var/log/template_tests.log"
template="RSYSLOG_DebugFormat")
}

Here's the output from that for an example message:

Debug line with all properties:
FROMHOST: '', fromhost-ip: '', HOSTNAME: 'nydevsol10', PRI: 14,
syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Jan 30 12:12:16', STRUCTURED-DATA: '-',
msg: ' [ID 702911 user.info] This is a test'
escaped msg: ' [ID 702911 user.info] This is a test'
inputname: imsolaris rawmsg: 'Jan 30 12:12:16 root: [ID 702911 user.info] This is a test'
$!:
$.:
$/:

So even though only 'This is a test' was logged to rsyslogd, it appears that the msg passed into the input module was altered to be ' [ID 702911 user.info] This is a test'.

Is that right?

Is there a way to prevent this from being prepended to all our messages, or reformat it?

Gordon
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: How to eliminate Solaris specific msg ID [ In reply to ]
Look through the man page for the solaris syslog daemon, there is probably a way
to tell it to not add this.

Or you could run rsyslog on solaris instead of it's syslog daemon and avoid the
problem that way :-)

David Lang

On Tue, 31 Jan 2023, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog wrote:

> Follow up:
>
> This field is prepended to all messages sent through the log(4D) device on Solaris, as documented in the syslogd(8) and log(4D) man pages, before they hit rsyslogd.
>
> However, I'll work on using rsyslogd's property replacer mechanism to modify the %msg property to remove this field via a template when appropriate.
>
> From: Gordon Marler (BLOOMBERG/ 120 PARK) At: 01/30/23 12:38:42 UTC-5:00To: RSYSLOG@LISTS.ADISCON.COM
> Subject: How to eliminate Solaris specific msg ID
> Noticing that all messages logged from Solaris rsyslog clients have a field in all messages that rsyslog on AIX and Linux don't have:
>
> Jan 30 12:12:16 nydevsol10 root: [ID 702911 user.info] This is a test
> ^^^^^^^^^^^^^^^^^^^^^
>
> I tried to see where that field is coming from, and how to eliminate/alter it, by using the RSYSLOG_DebugFormat template:
>
> *.* {
> action( type="omfile"
> file="/var/log/template_tests.log"
> template="RSYSLOG_DebugFormat")
> }
>
> Here's the output from that for an example message:
>
> Debug line with all properties:
> FROMHOST: '', fromhost-ip: '', HOSTNAME: 'nydevsol10', PRI: 14,
> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Jan 30 12:12:16', STRUCTURED-DATA: '-',
> msg: ' [ID 702911 user.info] This is a test'
> escaped msg: ' [ID 702911 user.info] This is a test'
> inputname: imsolaris rawmsg: 'Jan 30 12:12:16 root: [ID 702911 user.info] This is a test'
> $!:
> $.:
> $/:
>
> So even though only 'This is a test' was logged to rsyslogd, it appears that the msg passed into the input module was altered to be ' [ID 702911 user.info] This is a test'.
>
> Is that right?
>
> Is there a way to prevent this from being prepended to all our messages, or reformat it?
>
> Gordon
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.