I was wondering if there was a way to display the custom token of a cloud application on rsyslog with its original message automatically as in syslog-ng without manually adding the custom token in the template or JSON file. On rsyslog, I tried with a model using% rawmsg%, but it only handles two types such as test log messages and audit log for the application when a particular user logs in directly only to the cloud-based application portal. Our requirement is that the cloud based application syslog messages are all processed with the custom token intact.
Here is the example of a tamplate that I use in my rsyslog.conf:
$ template RemoteLogs, "/ var / log /% FROMHOST-IP% /% rawmsg%"
. ? RemoteLogs
Any help on this subject is greatly appreciated.