I've been debugging this all day, and I'm not sure what's wrong yet (got some pcaps I'm staring at) but raw message forwarding as documented doesn't work. First, as documented on http://www.rsyslog.com/doc/omudpspoof.html
$ModLoad omudpspoof $template spooftemplate,"%rawmsg%" $ActionUDPSpoofTargetHost server.example.com *.* :omudpspoof:;spooftemplate This doesn't work with 5.8. So revised as: $ModLoad omudpspoof $template spooftemplate,"%rawmsg%" $ActionOMUDPSpoofTargetHost server.example.com *.* :omudpspoof:;spooftemplate This works and sends the packet, but the remote server doesn't like the packet. I've gotten it to work with just "%msg%" and a few other formats, but sending the entire original message doesn't appear to work. Some clarity might be helpful: is rsyslog breaking the message down and rebuilding it? If so, is rawmessage likely to be producing a pregnant/bundled message? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
