change msg property to new value with rsyslog

x13 picture x13 · Jan 30, 2013 · Viewed 8.6k times · Source

I have this rsyslog configuration:

    $template f_x,"/path/%programname%.%$YEAR%%$MONTH%%$DAY%%$HOUR%.log"

    if $programname == 'xyz' and $msg contains 'Hello World' or $msg contains 'FATAL'         
    then $msg = 'Starting xyz' ?f_x
    & ~

How can I change in this configuration my receive $msg property from 'Hello World' to $msg = 'BlaBlaBla' and write to file (%programname%.%$YEAR%%$MONTH%%$DAY%%$HOUR%.log) the last $msg value

Thanks in advance

Answer

Philippe picture Philippe · Mar 15, 2013

You can't override the msg property.

Starting with rsyslog 7, you can do the trick by using CEE/lumberjack properties with a custom template. Here is an example:

# Notice the use of $!msg in template string
template(name="logline" type="string"
         string="%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%$!msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")

# If the message matches your conditions, set $!msg to your custom string
if ($programname == 'xyz' and $msg contains 'Hello World' or $msg contains 'FATAL') then set $!msg = "Starting xyz";
# Otherwise, use the msg property value
else set $!msg = $msg;

# Finally, use the custom template
action(type="omfile" file="/tmp/logfile" template="logline")

For more information about CEE/lumberjack properties in rsyslog, see http://www.rsyslog.com/how-to-set-variables-in-rsyslog-v7/.