I ahve a config file that fixes up broken syslog messages that has the following
$template fixsnareFormat,"%timereported% %HOSTNAME% MSWinEventLog %syslogtag%%msg:18:$:drop-last-lf%\n" $template fixsnareForwardFormat,"<%pri%>%timereported% %HOSTNAME% MSWinEventLog %syslogtag%%msg:18:$:drop-last-lf%\n" $template TraditionalFormat,"%timereported% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n" $template TraditionalForwardFormat,"<%pri%>%timereported% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n" #$template TraditionalFormat,"%timegenerated% %syslogtag%%msg:::drop-last-lf%\n" :syslogtag, startswith, "MSWinEventLog#011" *.* /var/log/messages;fixsnareFormat & @192.168.210.8;fixsnareForwardFormat & ~ *.* /var/log/messages;TraditionalFormat *.* @192.168.210.8;TraditionalForwardFormat the upstream box is seeing things as I would expect, but the local /var/log/messages file is not is it incorrect to have two entries that both write to /var/log/messages? David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
