> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Jo Rhett > Sent: Friday, April 20, 2012 2:53 AM > To: rsyslog-users > Subject: [rsyslog] rawmessage forwarding doesn't appear to work > > I've been debugging this all day, and I'm not sure what's wrong yet > (got some pcaps I'm staring at) but raw message forwarding as > documented doesn't work. First, as documented on > http://www.rsyslog.com/doc/omudpspoof.html > > $ModLoad omudpspoof > $template spooftemplate,"%rawmsg%" > $ActionUDPSpoofTargetHost server.example.com > *.* :omudpspoof:;spooftemplate > > This doesn't work with 5.8. So revised as: > > $ModLoad omudpspoof > $template spooftemplate,"%rawmsg%" > $ActionOMUDPSpoofTargetHost server.example.com > *.* :omudpspoof:;spooftemplate
Thanks - the doc was incorrect. I just fixed it (inside git so far). > > This works and sends the packet, but the remote server doesn't like the > packet. I've gotten it to work with just "%msg%" and a few other > formats, but sending the entire original message doesn't appear to > work. > > Some clarity might be helpful: is rsyslog breaking the message down and > rebuilding it? If so, is rawmessage likely to be producing a > pregnant/bundled message? In theory, the message is processed, but if you use just the rawmsg property, this *is* the raw message exactly as it was received. So the message is not altered in that case. Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
