On Fri, 20 Apr 2012, Jo Rhett wrote:
On Apr 20, 2012, at 4:30 PM, [email protected] wrote:
wait a minute, I realized just after I sent this that you probably meant that
if you send standard syslog with the Forward format Zenoss doesn't work, but if
you send standard syslog with the File format Zenoss works.
If this is the case, then instead of using '%rawmesg%' for your spoof template,
use '%timestamp% %hostname% %syslogtag%%msg%'
This should be the same thing, just without the severity/priority tag. If
that's what Zenoss is choaking on, this may fix it (and then you can file a bug
with them :-)
No, I've only gotten it working with the message only. It doesn't like
FileFormat either (see my message). I can try that later tonight. We're
at peak traffic right now ;-)
Ok, I'm trying to make sure I am properly understanding what works and
what doesn't (I know that at some point here I have gotten confused, and
I'm not sure I have it all straightend out yet)
My understanding is that the following scenarios have been tested
1. @hostname:port with FileFormat
works
2. @hostname:port with ForwardFormat
works? I thought the message I was replying to said it did not
work.
3. omspoof with ForwardFormat (%rawmesg%)
does not work
4. omspoof with message only (%msg:2:2000%)
works
5. omspoof with FileFormat (%timestamp% %hostname% %syslogtag%%msg%)
does not work? this is what I think you are saying above
where FileFormat is
Apr 19 12:34:56 hostname application[PID]: log data
and ForwardFormat is
<190>Apr 19 12:34:56 hostname application[PID]: log data
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
