rsyslog template not working correctly

Question

Can anyone help me out with this exotic problem?

I have some syslog servers forwarding messages to a central syslog server (rsyslogd 7.4.7). In the central syslog server I don't want to add timestamps to an already stamped message so I created a template which only prints the whole %msg% and nothing more.

$template t_my_log_output,"/var/syslog/cm.MY.%$YEAR%%$MONTH%%$DAY%-%msg:F,32:5%.log"
$template ProxiesTemplate2,"%msg%\n"
:rawmsg, contains, " MYAPP "                            -?t_my_log_output;ProxiesTemplate2

The problem is that rsyslog is not appending the whole message. It's missing the first %msg% characters:

41:52 2016-10-21 10:41:42 APP xxx.yyy.zzz.qqq myproc[14]  [_getMsg]: msg

I've taken a tcpdump just to be sure both dates/times are coming in:

11:41:52.311287 IP xxx.yyy.zzz.qqq.43438 > xxx.yyy.zzz.qqq.syslog: [|syslog]
E.....@.<...
.@.
......@.2016-10-21 11:41:52 2016-10-21 10:41:42 APP xxx.yyy.zzz.qqq myproc[14]  [_getMsg]: msg
................

Thanks for the help

Alex

score 0 · Accepted Answer · edited Oct 21 '16 at 14:32

0

Sorted it out eventually by replacing %msg% with %rawmsg%

edited Oct 21 '16 at 14:32

Ladadadada

26,337
7
59
90

answered Oct 21 '16 at 11:54

Alexandre Juma

103
4

rsyslog template not working correctly

1 Answers1