I have tried using the following in my rules, but am still receiving something that looks invalid.
RULES $ActionSendStreamDriver ptcp $ActionForwardDefaultTemplateName RSYSLOG_SyslogProtocol23Format *.info @@(o)127.0.0.1:7777 RECEIVE "<4>Nov ..." What is received still does not look like it is conforming to RFC 5424 yet, even after adding the recommended template. What am I doing wrong? > -----Original Message----- > From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog- > boun...@lists.adiscon.com] On Behalf Of Rodrian, Logan P (IS) > Sent: Thursday, November 01, 2012 3:00 PM > To: rsyslog@lists.adiscon.com > Subject: Re: [rsyslog] RFC 5424 over TCP Support > > Thank you for your reply. I am now using the octet framing as you > prescribed, which seems to solve the original issue. My next issue is > that the syslog message string does not appear to be RFC 5424 formatted > (it looks like "<###>Nov ...."), versus: > > > SYSLOG-MSG = HEADER SP STRUCTURED-DATA [SP MSG] > > HEADER = PRI VERSION SP TIMESTAMP SP HOSTNAME > SP APP-NAME SP PROCID SP MSGID > PRI = "<" PRIVAL ">" > PRIVAL = 1*3DIGIT ; range 0 .. > 191<http://tools.ietf.org/html/rfc5424#page-191> > VERSION = NONZERO-DIGIT 0*2DIGIT > > ... > > Is there a setting or prebuilt template that will output the message in > RFC 5424 format? I should probably alias the template, it is called RSYSLOG_SyslogProtocol23Format - this stems back to the days when we used rsyslog as a testbed for the pre-RFC versions. Rainer Logan Rodrian Cyber Engineer Northrop Grumman w (720) 744-7467 m (303) 748-1649 logan.rodr...@ngc.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.