The message header (MSGHDR) is simply a combination of the PROGRAM and the PID (Program ID) in the following format:
PROGRAM[PID]:
By writing the MSGHDR into the MESSAGE of the log, filters can be applied to the MESSAGE rather than to the individual pieces of the log.
Once the MSGHDR is written into the MESSAGE however, it needs to be removed otherwise the MSGHDR will show up twice in the logs.
The MSGHDR is a non-editable macro, so the PROGRAM and PID are edited so the MSGHDR has no data when called.
To start, first write the MSGHDR into the MESSAGE using the following rewrite rule:
rewrite r_msghdr_message { set("$MSGHDR $MESSAGE", value("MESSAGE"));};
Then, remove the PROGRAM and PID information to remove the data from the MSGHDR by using the following two rewrite rules:
rewrite r_rmv_program { set("", value("PROGRAM"));};
rewrite r_rmv_pid { set("", value("PID"));};
After creating the rewrite rules, call the rewrites in the following order within the log statement in the Syslog-ng configuration. See the example below for a demonstration of the correct order in which to call the rewrite rules:
log {
source(s_example_source);
rewrite(r_msghdr_message);
rewrite(r_rmv_program);
rewrite(r_rmv_pid);
destination(d_example_destination);
};
Once done, the MSGHDR will be written into the MESSAGE and the data from the MSGHDR will be removed as to not call the data twice within the log.