How to parserCSV the message obtained from syslog-ng?

Question

Syslog-ng is writing the following log to the layout below:

Jun 7 11:54:23 vXXXXX01-node1 RT_XXT: RT_SRC_XXT_PBA_ALLOC: Subscriber 100.64.0.2

But the system that will do the treatment expects to receive the log in the following layout:

Jun 7;11:54:23;2019;vxxxxx01-node1;RT_xxT: RT_SRC_NAT_PBA_ALLOC:;Subscriber 100.64.0.2;

What setting can I do to be able to do the requested?

The expected result is as follows:

Current:    Jun 7 11:54:23 vXXXXX01-node1 RT_XXT: RT_SRC_XXT_PBA_ALLOC: Subscriber 100.64.0.2
Changed: Jun 7;11:54:23;2019;vxxxxx01-node1;RT_xxT: RT_SRC_NAT_PBA_ALLOC:;Subscriber 100.64.0.2;

Answer 1

In syslog-ng you can reformat the log messages quite flexibly using templates, rewrite rules, and template functions (or if all else fails in Python). For your case, it seems that using templates will be enough, so I'd recommend checking the documentation at http://support.oneidentity.com/technical-documents/syslog-ng-open-source-edition/administration-guide/template-and-rewrite-format-modify-and-manipulate-log-messages/customize-message-format-using-macros-and-templates/templates-and-macros

Basically, you'll have to find which macros correspond to the parts of the message that you want to see in your output, and use those in a template for the destination that sends the messages over to whatever expects this format. The template will probably look something like:

template("${MONTH} ${DAY};${HOUR}:${MIN}:${SEC};${YEAR};${HOST};${PROGRAM};${MESSAGE};\n")

But if your backend supports JSON or similar structured input, syslog-ng supports that as well.