Transform RFC3164 message? (missing tag) #23589

etfz · 2025-08-13T14:47:47Z

etfz
Aug 13, 2025

Question

Hi,

New to Vector. I understand it can do a lot of transformations. I'm currently dealing with a number of devices whose platform employs RFC3164 syslog messaging, but does not include a tag in the message part. This confuses syslog collectors. I would like to set up a dedicated endpoint for these devices, which transforms the messages like so:

-<34>Oct 11 22:14:15 mymachine 'su root' failed for lonvick on /dev/pts/8
+<34>Oct 11 22:14:15 mymachine MY_TAG: 'su root' failed for lonvick on /dev/pts/8

Answered by etfz

Aug 21, 2025

Had a go at it. This seems to do the trick:

sources:
  syslog:
    type: syslog
    mode: udp
    address: 0.0.0.0:515

transforms:
  remap_syslog:
    inputs: [syslog]
    type: remap
    source: |
      .message, err = .appname + " " + .message
      .appname = "MY_TAG"

View full answer

etfz · 2025-08-21T09:02:21Z

etfz
Aug 21, 2025
Author

Had a go at it. This seems to do the trick:

sources:
  syslog:
    type: syslog
    mode: udp
    address: 0.0.0.0:515

transforms:
  remap_syslog:
    inputs: [syslog]
    type: remap
    source: |
      .message, err = .appname + " " + .message
      .appname = "MY_TAG"

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Transform RFC3164 message? (missing tag) #23589

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Transform RFC3164 message? (missing tag) #23589

Uh oh!

Uh oh!

etfz Aug 13, 2025

Question

Replies: 1 comment

Uh oh!

Uh oh!

etfz Aug 21, 2025 Author

etfz
Aug 13, 2025

etfz
Aug 21, 2025
Author