So this is my syslog-ng configuration:
template raw_log {
template("${MESSAGE}\n");
};
source s_eve {
network(
transport(tls)
port(6514)
tls(
key-file("/etc/syslog-ng/ca.d/privkey.pem")
cert-file("/etc/syslog-ng/ca.d/cacert.pem")
peer-verify(optional-untrusted)
)
flags(no-parse,store-raw-message)
);
};
destination d_logs_eve {
file(
"/var/log/suricata/eve.json"
owner("root")
group("root")
perm(0777)
template(raw_log)
);
};
So i am using no-parse and store-raw-message, and I have also tried with this template:
template raw_log {
template("${RAWMSG}\n");
};
But anyway, I get this in the file:
5468 <13>1 2023-07-10T09:43:48+00:00 14020836f0c7 {"timestamp" - - [meta sequenceId="1"] "2023-07-10T09:43:47.723612+0000","event_type":"stats","stats":{"uptime":43,"capture":{"kernel_packets":0,"kernel_drops":0,"errors":0},"decoder"
when I want just the raw message:
{"timestamp":"2023-07-10T09:43:47.723612+0000","event_type":"stats","stats":{"uptime":43,"capture":{"kernel_packets":0,"kernel_drops":0,"errors":0},"decoder"
So how do I get rid off that timestamp, servername and metadata? What am I doing wrong?
