Okay, the solution was actually simpler than I thought. Basically, on the loghost that was relaying to an archive logger, I needed to define a custom template for the relaying, which would ensure the syslog events would be sent out exactly as they were coming in. This ended up being rather simple.
The original template from the rsyslog clients is: $template SiteIDForwardFormat, "<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%[SITE:sitename]%msg:::sp-if-no-1st-sp%%msg%" To forward these properly and unmolested to the archive loghost, I needed to run them through this template on the relay host: $template SiteIDRelayFormat, "<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%%msg%" Then, the relay action was split up into a couple actions to make sure things were forwarded correctly to the archive loghost: :msg, startswith, "[SITE:" @@logarchive:1514;SiteIDRelayFormat :msg, !startswith, "[SITE:" @@logarchive:1514;SiteIDForwardFormat I.e., anything that's already tagged gets relayed with the relay format, and anything that's not has the tag added and is forwarded on. Thanks for the suggestion of the debug log; running both the relay and the archiver with debug logging is what led me to the solution. Gregory -- Gregory K. Ruiz-Ade <[email protected]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
