Differences in syslog logging between SumoLogic and Splunk

Comments

1 comment

  • Avatar
    Keith

    Hi Mike,

    This has already been answered by Kevin in our ticketing system - here's the answer again for the benefit of our community:

    Sumo Logic does not manipulate the content of your incoming data, unless you specifically choose to do so using masking or other filters. The <182> at the beginning of your message is the Syslog priority for the message and is part of the message delivered to the Sumo Logic Collector. If you do not want to see this value in any of your messages you will need to create a mask filter on your sources to convert this value to another. The following regular expression can be used as part of a masking filter configuration.

    (^<\d{3}>)

    The filter requires at least 1 character to replace the found text, so in your case you may choose to replace this with a simple "-" or "."

    For more help on setting up a masking filters you can reference the following documentation.

    https://service.sumologic.com/ui/help/Default.htm#Mask_Filters.htm

    Thanks, -Keith

    0
    Comment actions Permalink

Please sign in to leave a comment.