Rainer, > Can you send me an on-the-wire sample of those messages (I mean that are > invalidly interpreted). I have now created the parser test suite and they > would make a good addition, especially as I need to troubleshoot them ;) > > Rainer
Before disclosing enough data I have to ask for permission. I can tell you that the last hop in this relay chain is using rsyslog v3, and that the format I got (tcpdump dixit) for these messages is always like this: <38>Mar 27 19:06:53 source_server sshd(pam_unix)[12750]: session opened for user foo by (uid=0) And what gets actually logged for that is: 2009-03-27T19:06:53+01:00 last_hop_server source_server sshd(pam_unix)[12750]: session opened for user foo by (uid=0) Then, last_hop_server becomes %hostname% and source_server becomes %syslogtag%. This last hop server is using rsyslog v3, so it seems to me I have to instruct v4 that the input is coming in a non-default format. Cheers. -- Luis Fernando Muñoz Mejías [email protected] _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
