From c817b86ee598f463abd2ec59569786f2164ecd9d Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Sun, 19 Apr 2020 13:53:43 -0700
Subject: [PATCH] Refine rawmsg destination

* Refine rawmsg destination to not fire if `RAWMSG` macro is not set or null
---
 package/etc/conf.d/destinations/rawmsg_file.conf | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/package/etc/conf.d/destinations/rawmsg_file.conf b/package/etc/conf.d/destinations/rawmsg_file.conf
index f5faf88..7f63cf5 100644
--- a/package/etc/conf.d/destinations/rawmsg_file.conf
+++ b/package/etc/conf.d/destinations/rawmsg_file.conf
@@ -1,5 +1,12 @@
 destination d_rawmsg {
-    file("/opt/syslog-ng/var/archive/rawmsg/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
-         template("${RAWMSG}\n")
-     );
-};
+    channel {
+        # Test for length of RAWMSG macro contents, minimum (meaning not set) appears to be "2"
+        filter { "$(length (${RAWMSG}))" != "2" };
+        destination {
+            file("/opt/syslog-ng/var/archive/rawmsg/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
+            template("${RAWMSG}\n")
+#           template("Length of RAWMSG is: $(length (${RAWMSG})), RAWMSG is: <${RAWMSG}>\n")
+            );
+        };
+    };
+};
\ No newline at end of file