rsyslog forward with ;RSYSLOG_SyslogProtocol23Format

Question

I am trying to forward rsyslog with ;RSYSLOG_SyslogProtocol23Format It works fine for an all log forward: *.* @@syslogserver.com:6789;RSYSLOG_SyslogProtocol23Format

But does anyone know how it can be implemented on specific rules?

if ($msg contains_i and so on)<br>
 action(type="omfwd" target="syslogserver.com" port="6789" protocol="tcp"
            action.resumeRetryCount="-1"

Cheers!

eDonkey · Answer 1 · 2022-09-01T08:01:09.443

0

I'm not sure what you mean by rules, I'm assuming you mean conditionals or filters.

A simple if statement can be done like this:

if $msg contains 'test' then
    action(type="omfwd" template="RSYSLOG_SyslogProtocol23Format" ...)

... which can also be chained:

if $programname == 'my_program' and $msg contains 'test' then
    action(type="omfwd" template="RSYSLOG_SyslogProtocol23Format" ...)

... or be done with a collection of statements:

if $programname == 'my_program' then {
    action(type="omfwd" ...)
    if $msg contains 'test' then
        action(type="omfwd" template="RSYSLOG_SyslogProtocol23Format" ...)
    else
        action(type="omfwd" ...)
}

edited Sep 01 '22 at 08:01

answered Aug 31 '22 at 13:05

eDonkey

115
6

Yes, I meant conditionals :) But is it possible to add ;RSYSLOG_SyslogProtocol23Format to a conditional? – Henric Carlsson Sep 01 '22 at 07:37
Do you mean filtering for a specific template or using a template in an action? – eDonkey Sep 01 '22 at 07:57
Apoloigies, I did not see you had written "action(type="omfwd" template="RSYSLOG_SyslogProtocol23Format" ...)" - I will try that asap :) – Henric Carlsson Sep 02 '22 at 07:01

rsyslog forward with ;RSYSLOG_SyslogProtocol23Format

1 Answers1