I’m using the SyslogAppender of log4j version 2.17.1 (package org.apache.logging.log4j.core.appender) in order to send syslog messages.
the message are sent in the next format:
Mar 23 17:32:24 se-demo {"id": 1,"type": "test-type","severity": "test-severity","severityScore": 50,"securityEventTimestamp": 10101,"msg": "test-description","cat": "test-category","url": "test-url","dstIps": "test-destinationIps","dstHosts": "test-destinationHosts","destinationAccount": "test-destinationAccount","destination": "test-destination","destinationType": "test-destinationType","accessedTables": "test-.accessedTables","numOfAccessedObjects": "test-numOfAccessedObjects","srcUsers": "test-sourceUsers","srcIps": "test-sourceIps","srcHosts": "test-sourceHosts","sourceApps": "test-sourceApps","userAction": "test-userAction","clusterNames": "test-clusterNames","clusterMemberNames": "test-clusterMemberNames","actionType": "test-statusType"}
I would like to remove the header for the message (remove the “Mar 23 17:32:24 se-demo”) and send only the message itself.
My appender is built with java code:
private SyslogAppender createSyslogAppender(SyslogSendProtocolType protocol, SyslogFacilityType syslogFacilityType, String host, int port, boolean ignoreExceptions, String appenderName, Configuration config) {
return SyslogAppender.createAppender(
host,
port,
protocol.name(),
null,
5000,
2000,
true,
appenderName,
true,
ignoreExceptions,
Facility.toFacility(syslogFacilityType.name()),
null,
Rfc5424Layout.DEFAULT_ENTERPRISE_NUMBER,
true,
null,
null,
null,
true,
null,
appenderName,
null,
null,
null,
null,
null,
null,
config,
Charset.forName("UTF-8"),
null,
new LoggerFields[]{},
true);
}
I attached also a printscreen of the constructor above so you can the the description of each member
I cannot find any method on that appender that I can configure whether to remove the header or not. Any ideas?
Advertisement
Answer
Remark: the factory method with more than 30 arguments is deprecated for a reason: nowadays most Log4j2 components have builders that render the code more legible.
You can easily remove the header from the Syslog messages sent by Log4j2, by replacing the appender’s layout:
final Layout layout = PatternLayout.createDefaultLayout(config);
SyslogAppender.newSyslogAppenderBuilder()//
.setConfiguration(config)
.setLayout(layout)
.build();
However I wouldn’t recommend this path: you’ll just loose information and the syslog server will just recreate the missing header.
A more proper solution would go in the opposite direction:
Your Syslog appender is using the old BSD syslog format. Changing the format to RFC5424, will allow you to send messages unambiguously interpreted by all modern Syslog servers:
SyslogAppender.newSyslogAppenderBuilder() .setConfiguration(config) .setName(appenderName) .setFormat("RFC5424") .setAppName("myApp") .build();Configure your syslog server to only save the message part. For RSyslog this can be done using:
$template PlainMessageFormat,"%msg%n" :programname, startswith, "myApp" { action(type="omfile" file="/var/log/test.log" Template="PlainMessageFormat") stop }If you are using RSylog 8.3.0 or later you can also dump the whole message as JSON:
$template JsonMessageFormat,"%jsonmesg%n"