Skip to main content
Solved

Cribl Modifying Syslog _Raw Data Format Before Sending To Destination

  • April 21, 2026
  • 16 replies
  • 11 views
Shawn Cannon
Forum|alt.badge.img+1
This message originated from Cribl Community Slack.
Click here to view the original link.

I am trying to send a datagen of syslog data to a syslog destination. The format of the beginning of the _raw message being sent in the datagen is <187>1 2026-04-17T14:13:25-0400 hostname The destination syslog (I ran TCPDUMP to see it) is receiving it like this <187>Apr 17 14:13:25 hostname the 1 is gone after the <> and the date format is completely different. As the receiving syslog is getting the changed message, is Cribl changing something in the _raw data before it sends out over the wire to the syslog destination?

Best answer by Jon Rust

You can control the exact formatting of the outbound data by putting the content in __syslogout

16 replies

Jon Rust
Forum|alt.badge.img
  • Jon Rust
  • Employee
  • Answer
  • April 21, 2026
You can control the exact formatting of the outbound data by putting the content in __syslogout
Shawn Cannon
Forum|alt.badge.img+1
  • Shawn Cannon
  • Author
  • Known Participant
  • April 21, 2026
I do not see that field in the data when I run a capture on the syslog destination in Cribl
B
The date format can be specified using the Timestamp format field.
Shawn Cannon
Forum|alt.badge.img+1
  • Shawn Cannon
  • Author
  • Known Participant
  • April 21, 2026
ohh it needs to be a TCP destination, but I am sending to a UDP syslog
B
enable internal fields to be displayed in the live capture to see the __syslogout field but i don't believe it's set by default to anything so it may not exist if that's the case.
Shawn Cannon
Forum|alt.badge.img+1
  • Shawn Cannon
  • Author
  • Known Participant
  • April 21, 2026
ok thanks
B
That value indicates the syslog version and isn't a value that you can set with a formal metadata field in Stream but can be set when building __syslogout which is why Jon recommended that method.
Shawn Cannon
Forum|alt.badge.img+1
  • Shawn Cannon
  • Author
  • Known Participant
  • April 21, 2026
so I could take a pipeline and use eval to create __syslogOut and it will send that to the destination?
B
I just now noticed jon linked to the same page/section i did but not sure if his was already linked or not so I didn't mean to link again if he had already done so. yeah
Shawn Cannon
Forum|alt.badge.img+1
  • Shawn Cannon
  • Author
  • Known Participant
  • April 21, 2026
unfortunately that did not work. I have a __syslogOut field, but the end destination is now seeing this (even before I tried __syslogOut, I added a post processing pipeline to send just _raw). The _raw data now looks like then when the destination gets it <13>Apr 17 14:44:43 pdscriblw01u <187>1 2026-04-17T14:44:30-0400 host OSPF.65529 4259 - [meta sequenceId="58291"] Connect fail to socket - /var/run/quagga/ospfd_protobuf_notify.api.65529 ret: -1 errno: No such file or directory I think this is being added by Cribl when it is sent to the syslog destination
Shawn Cannon
Forum|alt.badge.img+1
  • Shawn Cannon
  • Author
  • Known Participant
  • April 21, 2026
<13>Apr 17 14:44:43 pdscriblw01u
Shawn Cannon
Forum|alt.badge.img+1
  • Shawn Cannon
  • Author
  • Known Participant
  • April 21, 2026
That is what I am trying to remove
Jon Rust
Forum|alt.badge.img
  • Jon Rust
  • Employee
  • April 21, 2026
syslogout, no uppercase
Shawn Cannon
Forum|alt.badge.img+1
  • Shawn Cannon
  • Author
  • Known Participant
  • April 21, 2026
well poo lol
Shawn Cannon
Forum|alt.badge.img+1
  • Shawn Cannon
  • Author
  • Known Participant
  • April 21, 2026
I will try again
Shawn Cannon
Forum|alt.badge.img+1
  • Shawn Cannon
  • Author
  • Known Participant
  • April 21, 2026
ok case is important lol. that worked
Terms & ConditionsAccessibility statement