如何在 Java 中使用 log4j SyslogAppender 时从 syslog 消息中删除标头
我正在使用 log4j 版本 2.17.1(包 org.apache.logging.log4j.core.appender)的 SyslogAppender 来发送系统日志消息。
消息以以下格式发送:
Mar 23 17:32:24 se-demo {"id": 1,"type": "test-type","severity": "test-severity","severityScore": 50,"securityEventTimestamp": 10101,"msg": "test-description","cat": "test-category","url": "test-url","dstIps": "test-destinationIps","dstHosts": "test-destinationHosts","destinationAccount": "test-destinationAccount","destination": "test-destination","destinationType": "test-destinationType","accessedTables": "test-.accessedTables","numOfAccessedObjects": "test-numOfAccessedObjects","srcUsers": "test-sourceUsers","srcIps": "test-sourceIps","srcHosts": "test-sourceHosts","sourceApps": "test-sourceApps","userAction": "test-userAction","clusterNames": "test-clusterNames","clusterMemberNames": "test-clusterMemberNames","actionType": "test-statusType"}
我想删除消息的标头(删除“Mar 23 17:32:24 se-demo”)并仅发送消息本身。
我的附加程序是用 java 代码构建的:
private SyslogAppender createSyslogAppender(SyslogSendProtocolType protocol, SyslogFacilityType syslogFacilityType, String host, int port, boolean ignoreExceptions, String appenderName, Configuration config) {
return SyslogAppender.createAppender(
host,
port,
protocol.name(),
null,
5000,
2000,
true,
appenderName,
true,
ignoreExceptions,
Facility.toFacility(syslogFacilityType.name()),
null,
Rfc5424Layout.DEFAULT_ENTERPRISE_NUMBER,
true,
null,
null,
null,
true,
null,
appenderName,
null,
null,
null,
null,
null,
null,
config,
Charset.forName("UTF-8"),
null,
new LoggerFields[]{},
true);
}
我还附上了上面构造函数的打印屏幕,以便您可以了解每个成员的描述 
我在该附加程序上找不到任何可以配置是否删除标头的方法。 有什么想法吗?
I'm using the SyslogAppender of log4j version 2.17.1 (package org.apache.logging.log4j.core.appender) in order to send syslog messages.
the message are sent in the next format:
Mar 23 17:32:24 se-demo {"id": 1,"type": "test-type","severity": "test-severity","severityScore": 50,"securityEventTimestamp": 10101,"msg": "test-description","cat": "test-category","url": "test-url","dstIps": "test-destinationIps","dstHosts": "test-destinationHosts","destinationAccount": "test-destinationAccount","destination": "test-destination","destinationType": "test-destinationType","accessedTables": "test-.accessedTables","numOfAccessedObjects": "test-numOfAccessedObjects","srcUsers": "test-sourceUsers","srcIps": "test-sourceIps","srcHosts": "test-sourceHosts","sourceApps": "test-sourceApps","userAction": "test-userAction","clusterNames": "test-clusterNames","clusterMemberNames": "test-clusterMemberNames","actionType": "test-statusType"}
I would like to remove the header for the message (remove the "Mar 23 17:32:24 se-demo") and send only the message itself.
My appender is built with java code:
private SyslogAppender createSyslogAppender(SyslogSendProtocolType protocol, SyslogFacilityType syslogFacilityType, String host, int port, boolean ignoreExceptions, String appenderName, Configuration config) {
return SyslogAppender.createAppender(
host,
port,
protocol.name(),
null,
5000,
2000,
true,
appenderName,
true,
ignoreExceptions,
Facility.toFacility(syslogFacilityType.name()),
null,
Rfc5424Layout.DEFAULT_ENTERPRISE_NUMBER,
true,
null,
null,
null,
true,
null,
appenderName,
null,
null,
null,
null,
null,
null,
config,
Charset.forName("UTF-8"),
null,
new LoggerFields[]{},
true);
}
I attached also a printscreen of the constructor above so you can the the description of each member
I cannot find any method on that appender that I can configure whether to remove the header or not.
Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
备注:具有超过 30 个参数的工厂方法已被弃用,原因是:现在大多数 Log4j2 组件都有使代码更清晰的构建器。
通过替换附加程序的布局,您可以轻松地从 Log4j2 发送的 Syslog 消息中删除标头:
但是我不推荐这条路径:您只会丢失信息,并且 syslog 服务器只会重新创建缺少标头。
更合适的解决方案是朝相反的方向发展:
您的 Syslog 附加程序正在使用旧的 BSD syslog 格式。将格式更改为 RFC5424,将允许您发送由所有现代 Syslog 明确解释的消息服务器:
将系统日志服务器配置为仅保存消息部分。对于 RSyslog,可以使用以下命令完成:
如果您使用 RSylog 8.3.0 或更高版本,您还可以将整个消息转储为 JSON:
Remark: the factory method with more than 30 arguments is deprecated for a reason: nowadays most Log4j2 components have builders that render the code more legible.
You can easily remove the header from the Syslog messages sent by Log4j2, by replacing the appender's layout:
However I wouldn't recommend this path: you'll just loose information and the syslog server will just recreate the missing header.
A more proper solution would go in the opposite direction:
Your Syslog appender is using the old BSD syslog format. Changing the format to RFC5424, will allow you to send messages unambiguously interpreted by all modern Syslog servers:
Configure your syslog server to only save the message part. For RSyslog this can be done using:
If you are using RSylog 8.3.0 or later you can also dump the whole message as JSON: