how to remove hostname and timestamp from logs coming from remote syslog server












0














I am using rsyslog to send all syslog files and few additional application log files to remote syslog server which has syslog-ng server running and it's sending to Splunk using splunk forwarder. My problem is, when rsyslog sending logs to remote syslog server (syslog-ng), in log events it's adding Timestamp and Hostname to it. How do I tell rsyslog to don't add Timestamp and Hostname to any log events?
based on my findings, there is a template in rsyslog.conf. where we can define format and other things about log events. I tried that but it didn't work.



in my rsyslog.conf I have entry for template as, 



$template noTimeStampFormat,"%syslogtag% %msg%n"

$ActionFileDefaultTemplate noTimeStampFormat


I restarted syslog service, this change didn't work.



can someone please help me here on how to fix this?



Currently events looks like



<timestamp> <hostname> <tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)


Ideal would be,



<tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)


Thanks in advance!






linux syslog splunk rsyslog syslog-ng







share|improve this question






















  • ActionFileDefaultTemplate is a legacy command. If you are mixing it with newer-style Rainer script like action(...) it has no effect. Also, forwarding probably uses template RSYSLOG_TraditionalForwardFormat. Use an explicit template in your rules, eg perhaps for legacy it is *.* @@server;noTimeStampFormat
    – meuh
    Nov 21 at 12:06
















0














I am using rsyslog to send all syslog files and few additional application log files to remote syslog server which has syslog-ng server running and it's sending to Splunk using splunk forwarder. My problem is, when rsyslog sending logs to remote syslog server (syslog-ng), in log events it's adding Timestamp and Hostname to it. How do I tell rsyslog to don't add Timestamp and Hostname to any log events?
based on my findings, there is a template in rsyslog.conf. where we can define format and other things about log events. I tried that but it didn't work.



in my rsyslog.conf I have entry for template as, 



$template noTimeStampFormat,"%syslogtag% %msg%n"

$ActionFileDefaultTemplate noTimeStampFormat


I restarted syslog service, this change didn't work.



can someone please help me here on how to fix this?



Currently events looks like



<timestamp> <hostname> <tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)


Ideal would be,



<tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)


Thanks in advance!






linux syslog splunk rsyslog syslog-ng







share|improve this question






















  • ActionFileDefaultTemplate is a legacy command. If you are mixing it with newer-style Rainer script like action(...) it has no effect. Also, forwarding probably uses template RSYSLOG_TraditionalForwardFormat. Use an explicit template in your rules, eg perhaps for legacy it is *.* @@server;noTimeStampFormat
    – meuh
    Nov 21 at 12:06














0












0








0







I am using rsyslog to send all syslog files and few additional application log files to remote syslog server which has syslog-ng server running and it's sending to Splunk using splunk forwarder. My problem is, when rsyslog sending logs to remote syslog server (syslog-ng), in log events it's adding Timestamp and Hostname to it. How do I tell rsyslog to don't add Timestamp and Hostname to any log events?
based on my findings, there is a template in rsyslog.conf. where we can define format and other things about log events. I tried that but it didn't work.



in my rsyslog.conf I have entry for template as, 



$template noTimeStampFormat,"%syslogtag% %msg%n"

$ActionFileDefaultTemplate noTimeStampFormat


I restarted syslog service, this change didn't work.



can someone please help me here on how to fix this?



Currently events looks like



<timestamp> <hostname> <tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)


Ideal would be,



<tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)


Thanks in advance!






linux syslog splunk rsyslog syslog-ng







share|improve this question













I am using rsyslog to send all syslog files and few additional application log files to remote syslog server which has syslog-ng server running and it's sending to Splunk using splunk forwarder. My problem is, when rsyslog sending logs to remote syslog server (syslog-ng), in log events it's adding Timestamp and Hostname to it. How do I tell rsyslog to don't add Timestamp and Hostname to any log events?
based on my findings, there is a template in rsyslog.conf. where we can define format and other things about log events. I tried that but it didn't work.



in my rsyslog.conf I have entry for template as, 



$template noTimeStampFormat,"%syslogtag% %msg%n"

$ActionFileDefaultTemplate noTimeStampFormat


I restarted syslog service, this change didn't work.



can someone please help me here on how to fix this?



Currently events looks like



<timestamp> <hostname> <tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)


Ideal would be,



<tag> sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)


Thanks in advance!






linux syslog splunk rsyslog syslog-ng




linux syslog splunk rsyslog syslog-ng






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 20 at 20:05









Meet101

140218




140218












  • ActionFileDefaultTemplate is a legacy command. If you are mixing it with newer-style Rainer script like action(...) it has no effect. Also, forwarding probably uses template RSYSLOG_TraditionalForwardFormat. Use an explicit template in your rules, eg perhaps for legacy it is *.* @@server;noTimeStampFormat
    – meuh
    Nov 21 at 12:06


















  • ActionFileDefaultTemplate is a legacy command. If you are mixing it with newer-style Rainer script like action(...) it has no effect. Also, forwarding probably uses template RSYSLOG_TraditionalForwardFormat. Use an explicit template in your rules, eg perhaps for legacy it is *.* @@server;noTimeStampFormat
    – meuh
    Nov 21 at 12:06
















ActionFileDefaultTemplate is a legacy command. If you are mixing it with newer-style Rainer script like action(...) it has no effect. Also, forwarding probably uses template RSYSLOG_TraditionalForwardFormat. Use an explicit template in your rules, eg perhaps for legacy it is *.* @@server;noTimeStampFormat
– meuh
Nov 21 at 12:06




ActionFileDefaultTemplate is a legacy command. If you are mixing it with newer-style Rainer script like action(...) it has no effect. Also, forwarding probably uses template RSYSLOG_TraditionalForwardFormat. Use an explicit template in your rules, eg perhaps for legacy it is *.* @@server;noTimeStampFormat
– meuh
Nov 21 at 12:06












2 Answers
2






active

oldest

votes


















0














I have a similar situation where I'm logging to a local syslog and then forwarding all local0 facility entries over to a Graylog syslog input.



This is an example /etc/rsyslog.d/60-graylog.conf



template(name="MyFormat" type="string"

     string= "%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%n"

    )



local0.* @1.2.3.4:10514;MyFormat


(That last line is in "legacy" format and should really be rewritten with the "action" syntax)



More info and template properties are available at https://www.rsyslog.com/doc/v8-stable/configuration/templates.html






share|improve this answer





























    -1














    on linux command line:



    cut -d$' ' -f 3-20 logfile.log >newfile.log



    "cut" splits in parts delimited by ' ' (space) and output part 3 to 20 ;)






    share|improve this answer





















      Your Answer






      StackExchange.ifUsing("editor", function () {
      StackExchange.using("externalEditor", function () {
      StackExchange.using("snippets", function () {
      StackExchange.snippets.init();
      });
      });
      }, "code-snippets");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "1"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53400738%2fhow-to-remove-hostname-and-timestamp-from-logs-coming-from-remote-syslog-server%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      I have a similar situation where I'm logging to a local syslog and then forwarding all local0 facility entries over to a Graylog syslog input.



      This is an example /etc/rsyslog.d/60-graylog.conf



      template(name="MyFormat" type="string"
      
     string= "%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%n"
      
    )
      

      
local0.* @1.2.3.4:10514;MyFormat


      (That last line is in "legacy" format and should really be rewritten with the "action" syntax)



      More info and template properties are available at https://www.rsyslog.com/doc/v8-stable/configuration/templates.html






      share|improve this answer


























        0














        I have a similar situation where I'm logging to a local syslog and then forwarding all local0 facility entries over to a Graylog syslog input.



        This is an example /etc/rsyslog.d/60-graylog.conf



        template(name="MyFormat" type="string"
        
     string= "%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%n"
        
    )
        

        
local0.* @1.2.3.4:10514;MyFormat


        (That last line is in "legacy" format and should really be rewritten with the "action" syntax)



        More info and template properties are available at https://www.rsyslog.com/doc/v8-stable/configuration/templates.html






        share|improve this answer
























          0












          0








          0






          I have a similar situation where I'm logging to a local syslog and then forwarding all local0 facility entries over to a Graylog syslog input.



          This is an example /etc/rsyslog.d/60-graylog.conf



          template(name="MyFormat" type="string"
          
     string= "%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%n"
          
    )
          

          
local0.* @1.2.3.4:10514;MyFormat


          (That last line is in "legacy" format and should really be rewritten with the "action" syntax)



          More info and template properties are available at https://www.rsyslog.com/doc/v8-stable/configuration/templates.html






          share|improve this answer












          I have a similar situation where I'm logging to a local syslog and then forwarding all local0 facility entries over to a Graylog syslog input.



          This is an example /etc/rsyslog.d/60-graylog.conf



          template(name="MyFormat" type="string"
          
     string= "%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%n"
          
    )
          

          
local0.* @1.2.3.4:10514;MyFormat


          (That last line is in "legacy" format and should really be rewritten with the "action" syntax)



          More info and template properties are available at https://www.rsyslog.com/doc/v8-stable/configuration/templates.html







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 18 hours ago









          Moby Duck

          19946




          19946

























              -1














              on linux command line:



              cut -d$' ' -f 3-20 logfile.log >newfile.log



              "cut" splits in parts delimited by ' ' (space) and output part 3 to 20 ;)






              share|improve this answer


























                -1














                on linux command line:



                cut -d$' ' -f 3-20 logfile.log >newfile.log



                "cut" splits in parts delimited by ' ' (space) and output part 3 to 20 ;)






                share|improve this answer
























                  -1












                  -1








                  -1






                  on linux command line:



                  cut -d$' ' -f 3-20 logfile.log >newfile.log



                  "cut" splits in parts delimited by ' ' (space) and output part 3 to 20 ;)






                  share|improve this answer












                  on linux command line:



                  cut -d$' ' -f 3-20 logfile.log >newfile.log



                  "cut" splits in parts delimited by ' ' (space) and output part 3 to 20 ;)







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 20 at 20:21









                  user10682258

                  1




                  1






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Stack Overflow!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53400738%2fhow-to-remove-hostname-and-timestamp-from-logs-coming-from-remote-syslog-server%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      To store a contact into the json file from server.js file using a class in NodeJS

                      Image
                      0 I have created three files -contactPresentation.js, contactService.js, contacts.json. I will run the contactService.js file. And it will navigate to contactPresentation.js file that will only choose an option to either add or display a file. If add(), then add the data into add of service file.And the data will be added to the contacts.json file . And if display(), then display the display() of service file. And the display will take the data from contacts.json file. However, i know my code is flawed. Please correct it . I am also getting an error - this.contacts.push(new ContactService(userName, contactNumber, emailId)); ^ TypeError: Cannot read property 'push' of undefined at ContactService.add (e:NodeJSProjectcontactManager2contactService.js:57:23) at new C
                      Read more

                      Redirect URL with Chrome Remote Debugging Android Devices

                      Image
                      1 How can i redirect an URL with Chrome Remote Debugging Android Devices? like Requestly Chrome extension on desktop. google-chrome debugging url redirect testing share | improve this question edited Nov 24 '18 at 8:16 sachinjain024 14.7k 23 73 129 asked Nov 23 '18 at 16:09 Momen Momen 91 10
                      Read more

                      Dieringhausen

                      Image
                      Dieringhausen Stadt Gummersbach 50.982777777778 7.5316666666667 165 Koordinaten: 50° 58′ 58″  N , 7° 31′ 54″  O Höhe: 165  (160–245)  m Einwohner: 5055  (30. Jun. 2016) Postleitzahl: 51645 Vorwahl: 02261 Lage von Dieringhausen in Gummersbach Im Hohl ca. 1927–1930 Ansicht von Südwesten bei Bünghausen Dieringhausen (im örtlichen Dialekt Dierkesen ) ist ein Ortsteil von Gummersbach im Oberbergischen Kreis, Regierungsbezirk Köln, Nordrhein-Westfalen (Deutschland). Inhaltsverzeichnis 1 Geographie 2 Geschichte 3 Kultur 3.1 Sehenswürdigkeiten 3.2 Regelmäßige Veranstaltungen 4 Infrastruktur und Wirtschaft 4.1 Verkehr 4.1.1 Schienen- und Busverkehr 4.1.2 Straßen 4.2 Öffentliche Einrichtungen 4.2.1 Schulen und Bildungseinrichtungen 4.2.2 Kirchliche Einrichtungen 5 Persönlichkeiten 5.1 In Dieringhausen geboren 5.2 In Dieringhausen gelebt 6 Einzelnachweise 7
                      Read more