how to remove hostname and timestamp from logs coming from remote syslog server

Question

I am using rsyslog to send all syslog files and few additional application log files to remote syslog server which has syslog-ng server running and it's sending to Splunk using splunk forwarder. My problem is, when rsyslog sending logs to remote syslog server (syslog-ng), in log events it's adding Timestamp and Hostname to it. How do I tell rsyslog to don't add Timestamp and Hostname to any log events? based on my findings, there is a template in rsyslog.conf. where we can define format and other things about log events. I tried that but it didn't work.

in my rsyslog.conf I have entry for template as,

$template noTimeStampFormat,"%syslogtag% %msg%\n"
$ActionFileDefaultTemplate noTimeStampFormat

I restarted syslog service, this change didn't work.

can someone please help me here on how to fix this?

Currently events looks like

<timestamp> <hostname> <tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)

Ideal would be,

<tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)

Thanks in advance!

ActionFileDefaultTemplate is a legacy command. If you are mixing it with newer-style Rainer script like `action(...)` it has no effect. Also, forwarding probably uses template `RSYSLOG_TraditionalForwardFormat`. Use an explicit template in your rules, eg perhaps for legacy it is `*.* @@server;noTimeStampFormat` — meuh, Nov 21 '18 at 12:06

score 1 · Answer 1 · answered Dec 23 '18 at 12:06

I have a similar situation where I'm logging to a local syslog and then forwarding all local0 facility entries over to a Graylog syslog input.

This is an example /etc/rsyslog.d/60-graylog.conf

template(name="MyFormat" type="string"
     string= "%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
    )

local0.* @1.2.3.4:10514;MyFormat

(That last line is in "legacy" format and should really be rewritten with the "action" syntax)

More info and template properties are available at https://www.rsyslog.com/doc/v8-stable/configuration/templates.html

score 0 · Accepted Answer · answered Feb 16 '23 at 00:58

This is what worked for me. We use dynaFiles to do hostname based files.
I had a need to remove timestamp and hostname from being prefixed to events already formatted in JSON.

template (name="LOG_TYPE_PATH" type="string"
  string="/path/to/your/logs/LOG_TYPE/%HOSTNAME%.log")

template(name="noTimestamp" type="list") {
    property(name="syslogtag")
    property(name="msg" spifno1stsp="on" )
    property(name="msg" droplastlf="on" )
    constant(value="\n")
    }

if ($hostname contains "10.0.0.17") then {
  action(type="omfile" dynaFile="LOG_TYPE_PATH" template="noTimestamp")
}

These links were helpful:

https://serverfault.com/questions/1042248/rsyslog-8-dynafile-with-a-template https://www.rsyslog.com/doc/v8-stable/configuration/templates.html

score -4 · Answer 3 · answered Nov 20 '18 at 20:21

-4

on linux command line:

cut -d$' ' -f 3-20 logfile.log >newfile.log

"cut" splits in parts delimited by ' ' (space) and output part 3 to 20 ;)

answered Nov 20 '18 at 20:21

user10682258

1

how to remove hostname and timestamp from logs coming from remote syslog server

3 Answers3