the problem you are running into is that the syslog RFC defines a properly formatted message as being<###>MMM DD HH:MM:SS hostname syslogtag message where message can contain just about anything.the default parser tries very hard to figure out what is what to handle malformed messages, but in your case it has no way to know that the firs section of the message you want belongs as part of %msg% and there is no syslogtag field.creating a custom format to combine the fields is the easiest way to deal with the problem.The other option is to create a custom parser that will understand these messages and put everything into the %msg% field. This is a very new capaibility in rsyslog, and so there aren't many examples of how to do this yet.David Lang
David,Thanks for the quick response.
I'm grateful for your suggestion.In fact, the syslog implementation I am using is syslog4j.
http://www.syslog4j.org/It seems this library does not provide a tag by default (unless I am using it incorrectly).
Using:
SyslogIF.setIdent("appName");
....inserted a tag and the rawmsg parser now produces all the %msg% I
expect.
Great stuff, Many thanks Rob -- Rob Shepherd BEng PhD - Director / Senior Engineer - DataCymru Ltd _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
