From 8298f0f30c8bd3282cd27f08ad9a3a4385a91234 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Sat, 18 Apr 2020 15:58:06 -0700 Subject: [PATCH] Add file destination for raw message collection * Add file destination to capture RAWMSG. Useful for pre-production raw message capture --- package/etc/conf.d/destinations/rawmsg_file.conf | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 package/etc/conf.d/destinations/rawmsg_file.conf diff --git a/package/etc/conf.d/destinations/rawmsg_file.conf b/package/etc/conf.d/destinations/rawmsg_file.conf new file mode 100644 index 0000000..f5faf88 --- /dev/null +++ b/package/etc/conf.d/destinations/rawmsg_file.conf @@ -0,0 +1,5 @@ +destination d_rawmsg { + file("/opt/syslog-ng/var/archive/rawmsg/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log" + template("${RAWMSG}\n") + ); +};