Github user JonZeolla commented on the issue:
https://github.com/apache/metron/pull/1175
It looks like the upstream palindromicity/simple-syslog-5424 assumes that
the PRI will be included in a log. While this is in the spec/RFC and sent on
the network, it is standard practice to not write this to disk, but instead it
is used by syslog software to choose which file to write it to, and strip it
before writing to disk so the first component of the log is the date/timestamp.
Situations where syslog is pulled from disk and sent into Metron will all fail
with a syntax error. I would suggest that you work with the upstream lib
(yourself) to make the PRI field optional =)
Some evidence of my claims:
* rsyslog documentation explaining that PRI fields are sent but not
recorded
[here](https://www.rsyslog.com/doc/v8-stable/tutorials/recording_pri.html).
* The rsyslog built-in templates for writing to disk exclude PRI
([details](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates#brid-template-examples)).
* Even legacy file formats only include PRI when forwarding
([details](https://rsyslog-doc.readthedocs.io/en/latest/configuration/templates.html#legacy-string-based-template-samples)).
* [Back in
2010](https://serverfault.com/questions/110678/syslog-ng-how-to-log-severity-facility)
the SUSE syslog-ng format defaults to writing without PRI.
---
