How to pass syslog message without additional timestamp
I am trying to forward an exact duplicate of the syslog message. I have the route going thru passthru to not change the data. But I am getting the timestamp and original message host added to the message.
Thoughts?
Source: Syslog on 514/tcp/udp.
Pipeline: passthru
Source Data:
<164>:Jul 23 12:34:15 CDT: %ASA-auth-4-987654: Group = 1234567890, Username = efghijk, IP = aaa.bbb.ccc.ddd, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:30m:29s, Bytes xmt: 0, Bytes rcv: 0, Reason: Idle Timeout
Destination Data:
<164>Jul 23 12:34:15 lll.mmm.nnn.ppp :Jul 23 12:34:15 CDT: %ASA-auth-4-987654: Group = 1234567890, Username = efghijk, IP = aaa.bbb.ccc.ddd, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:30m:29s, Bytes xmt: 0, Bytes rcv: 0, Reason: Idle Timeout
Best Answer
-
Thanks to @Anson VanDoren and Oliver. The answer is to use an eval command with __syslogout and _raw.
Name = __syslogout
Value Expression = _raw
Doing this, allowed the syslog message to correct flow to the destination without adding the hop information.
Thanks to @Ralph No. for a link to the correct documentation.
"The section about Output structure helps. It also has details on __syslogout vs _raw vs message..."
1
Answers
-
Thanks to @Anson VanDoren and Oliver. The answer is to use an eval command with __syslogout and _raw.
Name = __syslogout
Value Expression = _raw
Doing this, allowed the syslog message to correct flow to the destination without adding the hop information.
Thanks to @Ralph No. for a link to the correct documentation.
"The section about Output structure helps. It also has details on __syslogout vs _raw vs message..."
1