如何在Java中使用log4j SyslogAppender时从syslog消息中删除标头

yc0p9oo0  于 2022-11-06  发布在  Java
关注(0)|答案(1)|浏览(79)

我使用log4j版本2.17.1的SyslogAppender(包org.apache.logging.log4j.core.appender)来发送系统日志消息。
消息以下一种格式发送:

Mar 23 17:32:24 se-demo {"id": 1,"type": "test-type","severity": "test-severity","severityScore": 50,"securityEventTimestamp": 10101,"msg": "test-description","cat": "test-category","url": "test-url","dstIps": "test-destinationIps","dstHosts": "test-destinationHosts","destinationAccount": "test-destinationAccount","destination": "test-destination","destinationType": "test-destinationType","accessedTables": "test-.accessedTables","numOfAccessedObjects": "test-numOfAccessedObjects","srcUsers": "test-sourceUsers","srcIps": "test-sourceIps","srcHosts": "test-sourceHosts","sourceApps": "test-sourceApps","userAction": "test-userAction","clusterNames": "test-clusterNames","clusterMemberNames": "test-clusterMemberNames","actionType": "test-statusType"}

我想删除邮件的标题(删除“Mar 23 17:32:24 se-demo”),只发送邮件本身。
我的appender是用java代码构建的:

private SyslogAppender createSyslogAppender(SyslogSendProtocolType protocol, SyslogFacilityType syslogFacilityType, String host, int port, boolean ignoreExceptions, String appenderName, Configuration config) {
        return SyslogAppender.createAppender(
                host,
                port,
                protocol.name(),
                null,
                5000,
                2000,
                true,
                appenderName,
                true,
                ignoreExceptions,
                Facility.toFacility(syslogFacilityType.name()),
                null,
                Rfc5424Layout.DEFAULT_ENTERPRISE_NUMBER,
                true,
                null,
                null,
                null,
                true,
                null,
                appenderName,
                null,
                null,
                null,
                null,
                null,
                null,
                config,
                Charset.forName("UTF-8"),
                null,
                new LoggerFields[]{},
                true);
    }

我还附上了上面构造函数的打印屏幕,以便您可以查看每个成员x1c 0d1x的描述
我找不到任何方法,我可以配置是否删除头或不附加器。有什么想法?

2jcobegt

2jcobegt1#

备注:参数超过30个的作坊方法已过时,原因如下:现在,大多数Log4j2组件都有构建器来使代码更清晰。

通过替换appender的布局,您可以轻松地从Log4j2发送的Syslog消息中删除标头:

final Layout layout = PatternLayout.createDefaultLayout(config);
SyslogAppender.newSyslogAppenderBuilder()//
        .setConfiguration(config)
        .setLayout(layout)
        .build();

不过我不会推荐这条路:您只会丢失信息,syslog服务器只会重新创建丢失的报头。
一个更适当的解决办法是采取相反的方向:

  • 您的Syslog附加程序使用的是旧的BSD Syslog格式。将格式更改为RFC5424,将允许您发送所有现代Syslog服务器都能明确解释的消息:
SyslogAppender.newSyslogAppenderBuilder()
        .setConfiguration(config)
        .setName(appenderName)
        .setFormat("RFC5424")
        .setAppName("myApp")
        .build();
  • 将syslog服务器配置为仅保存消息部分。对于RSyslog,可以使用以下命令完成此操作:
$template PlainMessageFormat,"%msg%\n"

:programname, startswith, "myApp" {
    action(type="omfile" file="/var/log/test.log" Template="PlainMessageFormat")
    stop
}

如果您使用的是RSylog 8.3.0或更高版本,您还可以将整个消息转储为JSON:

$template JsonMessageFormat,"%jsonmesg%\n"

相关问题