The %procid% sometimes blank in rsyslog template

Question

I'm trying to configure rsyslog to output in RFC5424 format. This means that the PROCID must be output in the syslog header. If there's no header, it should output a single dash (-) in its place. However, some of the events output have it just blank, and some have an actual value.

This is rsyslogd 5.8.10 running on Amazon Linux.

Here are the config lines:

$template CustomFormat,"<%PRI%>1 %timegenerated:1:23:date-rfc3339%-00:00 %HOSTNAME% %app-name% b%procid%b %msgid% %STRUCTURED-DATA%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
$ActionFileDefaultTemplate CustomFormat

Note that I put a "b" on each side of %procid% to make it more visible (this part is not RFC5424-compliant). Here are two lines of sample output.

<87>1 2019-06-19T20:03:01.929-00:00 ip-10-90-0-15 crond b29408b - - pam_unix(crond:account): expired password for user root (password aged)
<85>1 2019-06-19T20:17:18.150-00:00 ip-10-90-0-15 sudo bb - - ssm-user : TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/bin/vi /etc/rsyslog.conf

The first line is correct, but the second example should have "b-b" instead of "bb". What should I do to make the blank %procid% show up as a dash? It works fine for the %msgid% and %STRUCTURED-DATA%.

Is there a better way to get RFC5424 output? (I have to use -00:00 instead of Z.)

Answer 1

There may be a better way, but one thing you can try is to use a Rainer script variable in the template instead of the property, and set this variable to "-" if the procid is empty. For example,

$template CustomFormat,"<%PRI%>1 ... b%$.myprocid%b ..."
$ActionFileDefaultTemplate CustomFormat
if ($procid == "") then {
 set $.myprocid = "-";
} else {
 set $.myprocid = $procid;
}
*.* ./outputfile

Just make sure the if statement is before any action statements. Note, you cannot change the procid property itself with set.