Hi Gergely & Fabien,

Thank you for your quick response. Gladly appreciate.

In response to gergely, the 2nd option would require the changes to be made on the "apache side" of things right? If so, its unlikely possible in my use case.

What I am looking for is ideally some method of tinkering around with the header portion of syslog protocol. Hopefully to leave the message portion of the logs untouch if possible.

Hence the third method is what I am thinking initially but just asking around if anybody has explored a better option.

In response to fabien, this was the "crude way" i was talking about. haha.

Yours Sincerely,

Delon Lee

On Mon, 7 May 2018 at 21:35 Fabien Wernli <wernli@in2p3.fr> wrote:

Hi,

On Mon, May 07, 2018 at 03:26:21PM +0200, Gergely Nagy wrote:
> A third option would be to add an SDATA field to the apache logs on the
> rsyslog side, and filter based on that on the syslog-ng side. I am not
> familiar with rsyslog all that much, and can't offer an example how to
> do that. But it shouldn't be too hard, I imagine.

One admittedly very hackish way to add SDATA to rsyslog is:

$Template t_rfc5424,"<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% %msgid% [foo bar=\"baz\"] %msg:R,ERE,1,FIELD:^ (.*)--end%"

*.* @remote_syslog:514;t_rfc5424

FWIW ;-)