For closure and anyone looks for something similar in the future. This is what I ended up with:
template(name="debug_headers" type="string" string="Debug line with all properties:\nFROMHOST: '%FROMHOST%', fromhost-ip:'%fromhost-ip%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%',PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%',STRUCTURED-DATA: '%STRUCTURED-DATA%',\n$!:%$!%\n$.:%$.%\n$/:%$/%\n\n") *.* /var/splunk-syslog/msgheaders.log;debug_headers Which gave me just what I wanted and nothing more: Debug line with all properties: FROMHOST: 'cdcubde01.mycompany.com', fromhost-ip:'100.200.20.124', HOSTNAME: 'cdcubde01.mycompany.com', PRI: 167, syslogtag 'Vpxa:', programname: 'Vpxa', APP-NAME: 'Vpxa',PROCID: '-', MSGID: '-', TIMESTAMP: 'Dec 12 22:49:20',STRUCTURED-DATA: '-', $!: $.: $/: Thank you Rainer and David. I know I'm just scratching the surface of rsyslog, but certainly have learned a lot ... thanks for this list. Patrick -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rainer Gerhards Sent: Monday, December 12, 2016 2:47 PM To: rsyslog-users <[email protected]> Subject: Re: [rsyslog] debug options Sent from phone, thus brief. Am 12.12.2016 19:55 schrieb "Swartz, Patrick" <[email protected]>: Howdy, Do you mean something like this: template(name="debug_headers" type="string" string="Debug line with all properties:\nFROMHOST: '%FROMHOST%', fromhost-ip:'%fromhost-ip%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%',PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%',STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nescaped msg:'%msg:::drop-cc%'\ninputname: %inputname% rawmsg:%rawmsg%'\n$!:%$!%\n$.:%$.%\n$/:%$/%\n\n") template(name="debug_app" type="string" string="/var/splunk-syslog/ msgheaders-$NOW.log) Ending quote char missing... Rainer action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" dynaFile="debug_app");debug_headers The above doesn't pass the "rsyslogd -N1" test. Is the order wrong, or am I total out in left field? I do apologize for being so slow in catching on to the rsyslog way. rsyslogd -N1 rsyslogd: version 8.4.0, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 23: syntax error on token '" dirCreateMode=' [try http://www.rsyslog.com/e/2207 ] rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2207 ] rsyslogd: run failed with error -2207 (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number means) Thanks again for your help and guidance, Patrick -----Original Message----- From: [email protected] [mailto:rsyslog-bounces@lists. adiscon.com] On Behalf Of Rainer Gerhards Sent: Monday, December 12, 2016 8:23 AM To: rsyslog-users <[email protected]> Subject: Re: [rsyslog] debug options FYI this is the template that you use (from source code): "Debug line with all properties:\nFROMHOST: '%FROMHOST%', fromhost-ip: '%fromhost-ip%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\ninputname: %inputname% rawmsg: %rawmsg%'\n$!:%$!%\n$.:%$.%\n$/:%$/%\n\n" -- RG 2016-12-12 15:19 GMT+01:00 Rainer Gerhards <[email protected]>: > very easy, you just need to define a template with what you want. Doc here: > > http://www.rsyslog.com/doc/v8-stable/configuration/templates.html > > Rainer > > 2016-12-12 15:17 GMT+01:00 Swartz, Patrick <[email protected]>: >> Hello, >> Is there a way to get the message headers like what debug provides, without also getting the whole message? >> I'm currently using: -- *.* >> /var/splunk-syslog/msgdebug.log;RSYSLOG_DebugFormat -- to see the message headers in order to understand them better to create different filters. >> However, by getting the whole message too, my debug file size is exploding. >> >> This is the only part I really want to save - >> FROMHOST: 'cdcubpe02.mycompany.com', fromhost-ip: '100.200.20.112', >> HOSTNAME: 'cdcubpe02.mycompany.com', PRI: 167, syslogtag 'Vpxa:', >> programname: 'Vpxa', APP-NAME: 'Vpxa', PROCID: '-', MSGID: '-', >> TIMESTAMP: 'Dec 12 14:14:59', STRUCTURED-DATA: '-', >> >> Is what I'm seeking even possible? >> >> Many thanks, >> Patrick >> >> --------------------------------------------------------------------- >> - This email and any files transmitted with it are confidential and >> intended solely for the use of the addressee. If you are not the intended addressee, then you have received this email in error and any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please notify us immediately of your unintended receipt by reply and then delete this email and your reply. Tyson Foods, Inc. and its subsidiaries and affiliates will not be held liable to any person resulting from the unintended or unauthorized use of any information contained in this email or as a result of any additions or deletions of information originally contained in this email. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ---------------------------------------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the addressee. If you are not the intended addressee, then you have received this email in error and any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please notify us immediately of your unintended receipt by reply and then delete this email and your reply. Tyson Foods, Inc. and its subsidiaries and affiliates will not be held liable to any person resulting from the unintended or unauthorized use of any information contained in this email or as a result of any additions or deletions of information originally contained in this email. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ---------------------------------------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the addressee. If you are not the intended addressee, then you have received this email in error and any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please notify us immediately of your unintended receipt by reply and then delete this email and your reply. Tyson Foods, Inc. and its subsidiaries and affiliates will not be held liable to any person resulting from the unintended or unauthorized use of any information contained in this email or as a result of any additions or deletions of information originally contained in this email. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
