How to remove the Header from syslog message while using log4j SyslogAppender in Java

Question

I'm using the SyslogAppender of log4j version 2.17.1 (package org.apache.logging.log4j.core.appender) in order to send syslog messages.

the message are sent in the next format:

Mar 23 17:32:24 se-demo {"id": 1,"type": "test-type","severity": "test-severity","severityScore": 50,"securityEventTimestamp": 10101,"msg": "test-description","cat": "test-category","url": "test-url","dstIps": "test-destinationIps","dstHosts": "test-destinationHosts","destinationAccount": "test-destinationAccount","destination": "test-destination","destinationType": "test-destinationType","accessedTables": "test-.accessedTables","numOfAccessedObjects": "test-numOfAccessedObjects","srcUsers": "test-sourceUsers","srcIps": "test-sourceIps","srcHosts": "test-sourceHosts","sourceApps": "test-sourceApps","userAction": "test-userAction","clusterNames": "test-clusterNames","clusterMemberNames": "test-clusterMemberNames","actionType": "test-statusType"}

I would like to remove the header for the message (remove the "Mar 23 17:32:24 se-demo") and send only the message itself.

My appender is built with java code:

 private SyslogAppender createSyslogAppender(SyslogSendProtocolType protocol, SyslogFacilityType syslogFacilityType, String host, int port, boolean ignoreExceptions, String appenderName, Configuration config) {
        return SyslogAppender.createAppender(
                host,
                port,
                protocol.name(),
                null,
                5000,
                2000,
                true,
                appenderName,
                true,
                ignoreExceptions,
                Facility.toFacility(syslogFacilityType.name()),
                null,
                Rfc5424Layout.DEFAULT_ENTERPRISE_NUMBER,
                true,
                null,
                null,
                null,
                true,
                null,
                appenderName,
                null,
                null,
                null,
                null,
                null,
                null,
                config,
                Charset.forName("UTF-8"),
                null,
                new LoggerFields[]{},
                true);
    }

I attached also a printscreen of the constructor above so you can the the description of each member

I cannot find any method on that appender that I can configure whether to remove the header or not. Any ideas?

Answer 1

Remark: the factory method with more than 30 arguments is deprecated for a reason: nowadays most Log4j2 components have builders that render the code more legible.

You can easily remove the header from the Syslog messages sent by Log4j2, by replacing the appender's layout:

final Layout layout = PatternLayout.createDefaultLayout(config);
SyslogAppender.newSyslogAppenderBuilder()//
        .setConfiguration(config)
        .setLayout(layout)
        .build();

However I wouldn't recommend this path: you'll just loose information and the syslog server will just recreate the missing header.

A more proper solution would go in the opposite direction:

• Your Syslog appender is using the old BSD syslog format. Changing the format to RFC5424, will allow you to send messages unambiguously interpreted by all modern Syslog servers:

  SyslogAppender.newSyslogAppenderBuilder()
          .setConfiguration(config)
          .setName(appenderName)
          .setFormat("RFC5424")
          .setAppName("myApp")
          .build();
  

• Configure your syslog server to only save the message part. For RSyslog this can be done using:

  $template PlainMessageFormat,"%msg%\n"
  
  :programname, startswith, "myApp" {
      action(type="omfile" file="/var/log/test.log" Template="PlainMessageFormat")
      stop
  }
  

  If you are using RSylog 8.3.0 or later you can also dump the whole message as JSON:

  $template JsonMessageFormat,"%jsonmesg%\n"