我使用log4j版本2.17.1的SyslogAppender(包org.apache.logging.log4j.core.appender)来发送系统日志消息。
消息以下一种格式发送:
Mar 23 17:32:24 se-demo {"id": 1,"type": "test-type","severity": "test-severity","severityScore": 50,"securityEventTimestamp": 10101,"msg": "test-description","cat": "test-category","url": "test-url","dstIps": "test-destinationIps","dstHosts": "test-destinationHosts","destinationAccount": "test-destinationAccount","destination": "test-destination","destinationType": "test-destinationType","accessedTables": "test-.accessedTables","numOfAccessedObjects": "test-numOfAccessedObjects","srcUsers": "test-sourceUsers","srcIps": "test-sourceIps","srcHosts": "test-sourceHosts","sourceApps": "test-sourceApps","userAction": "test-userAction","clusterNames": "test-clusterNames","clusterMemberNames": "test-clusterMemberNames","actionType": "test-statusType"}我想删除邮件的标题(删除“Mar 23 17:32:24 se-demo”),只发送邮件本身。
我的appender是用java代码构建的:
private SyslogAppender createSyslogAppender(SyslogSendProtocolType protocol, SyslogFacilityType syslogFacilityType, String host, int port, boolean ignoreExceptions, String appenderName, Configuration config) {
return SyslogAppender.createAppender(
host,
port,
protocol.name(),
null,
5000,
2000,
true,
appenderName,
true,
ignoreExceptions,
Facility.toFacility(syslogFacilityType.name()),
null,
Rfc5424Layout.DEFAULT_ENTERPRISE_NUMBER,
true,
null,
null,
null,
true,
null,
appenderName,
null,
null,
null,
null,
null,
null,
config,
Charset.forName("UTF-8"),
null,
new LoggerFields[]{},
true);
}我还附上了上面构造函数的打印屏幕,以便您可以查看每个成员x1c 0d1x的描述
我找不到任何方法,我可以配置是否删除头或不附加器。有什么想法?
1条答案
按热度按时间2jcobegt1#
备注:参数超过30个的作坊方法已过时,原因如下:现在,大多数Log4j2组件都有构建器来使代码更清晰。
通过替换appender的布局,您可以轻松地从Log4j2发送的Syslog消息中删除标头:
不过我不会推荐这条路:您只会丢失信息,syslog服务器只会重新创建丢失的报头。
一个更适当的解决办法是采取相反的方向:
如果您使用的是RSylog 8.3.0或更高版本,您还可以将整个消息转储为JSON: