How can we extract the fields from a message logged by MessageLogging policy using rsyslog ?

I have a simple MessageLogging Policy as shown below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<MessageLogging async="false" continueOnError="false" enabled="true" name="Message-Logging-1”>
<DisplayName>Message Logging 1</DisplayName>
<Syslog>
   <Message>test message!</Message>
   <Host>my.log-server.com</Host>
   <Port>514</Port>
</Syslog>
</MessageLogging>

The output of this policy is as follows:

<14>Fri Oct 23 15:48:31 JST 2015Info: test message!

Since the message has timestamp in a specific format, it’s becoming difficult to extract the fields using syslog.

After referring to the following links:

http://www.rsyslog.com/doc/v8-stable/configuration/property_replacer.html

http://www.rsyslog.com/doc/v8-stable/configuration/properties.html

I thought of using the following properties to extract the various fields

%pri-text% to extract <14> 

%date-wdayname% to extract the week day (Fri in the above example)

%timegenerated:1:15:date-rfc3164%  to extract the time stamp which is in RFC3164 format (Oct 23 15:48:31)

%year% to extract the Year part of the date (2015)

%msg% to extract the message

I can put all these into a template let’s CustomApigeeLogTemplate and set it as follows in the rsyslog conf file

$ActionFileDefaultTemplate CustomApigeeLogTemplate

However, we still have an issue. That is I don’t know how to extract the time zone info (JST in the above example) and the log level (Info:) using rsyslog.

Can someone please help me to extract the fields from Apigee log message using rsyslog ?

Or alternatively is there a way to use a different format for logging the timestamp information in the message via MessageLogging Policy ?

0 2 1,346
2 REPLIES 2

sarthak
Participant V

@AMAR DEVEGOWDA I might be mistaken here, but this does not look like an Apigee question. Rather how to deal with rsyslog. Probably you should ask on their forum or on stackoverflow ?

Dear @sarthak,

This is partly to deal with rsyslog and partly with Apigee.

It is partly with Apigee, because Apigee is logging the message in a specific format. I wanted to know two things

a) if any one has already handled this type of issue before, then they can suggest the answer

b) Alternatively, can Apigee log the message in a different format ? For ex; use rfc 3339 format for displaying the time