Hi, on my machine I am using rsyslog 5.8.1 for remote syslog, and syslog-ng for local log processing and filtering. The syslog-ng is set up to sent it's data to the rsyslog daemon. When I have the syslog-ng provide it's data to the rsyslog using a tcp connection on localhost, the data I receive on the remote end is fine. If I use a datagram socket for the communication between syslog-ng and rsyslog (using the imuxsock input plugin) the data format is changed into the following:
"<22>1 2011-07-12T17:12:00+02:00 agrdevel2 agrdevel2 - - - exim-out[27081]: 2011-07-12 17:12:00 Start queue run: pid=27081\n" "<22>1 2011-07-12T17:12:00+02:00 agrdevel2 agrdevel2 - - - exim-out[27081]: 2011-07-12 17:12:00 End queue run: pid=27081\n" As you can see, the imuxsock plugin adds it's own timestamps, although the documentation says that application-provided timestamps are ignored by default. I tried setting the $InputUnixListenSocketIgnoreMsgTimestamp configuration value explicitly, but to no avail. I also tried to change the message format of the syslog-ng which is providing the logs. Using the default syslog-ng settings, the logs that arrive at the rsyslog daemon look like this: <22>Jul 13 09:55:00 agrdevel2 exim-out[25592]: 2011-07-13 09:55:00 Start queue run: pid=25592 <22>Jul 13 09:55:00 agrdevel2 exim-out[25592]: 2011-07-13 09:55:00 End queue run: pid=25592 Using the flag 'syslog-protocol' in the syslog-ng configuration, which is supposed to have the messages formatted according to the IETF syslog protocol standard, the messages arriving at the rsyslog daemon look like this: <22>1 2011-07-13T09:56:00+02:00 agrdevel2 exim-out 25651 - [meta sequenceId="3"] 2011-07-13 09:56:00 Start queue run: pid=25651 <22>1 2011-07-13T09:56:00+02:00 agrdevel2 exim-out 25651 - [meta sequenceId="4"] 2011-07-13 09:56:00 End queue run: pid=25651 Unfortunately, in both cases the result is the same. It looks to me like the imuxsock plugin fails to correctly handle the incoming message format; date stamps are duplicated, and the fields which are supposed to contain application name and pid only contain dashes. Is there anything I failed to configure correctly, or is this a bug in the imuxsock plugin? Is there a better way to hook up a local syslog-ng to a local rsyslog? Best regards, Andreas Grosse _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
