> when the remote system receives the message, if you have not loaded a
> specific parser module it assumes that what it's receiving is in the
> traditional syslog format.
>
> in your first example, hostname:{%hostname%} triggers something in the
> parsing logic that says that this can't be a legitimate hostname, so it
> puts the IP address of the sender in the hostname field instead.
>
> In the second case, this heuristic doesn't get triggered, so it puts
> the result of 'hostname{%hostname%}' in the hostname field, so it does
> what you are expecting.
>
> The short version is not to muck with the formatting until you arrive
> at your final destination (unless you need to fix something that's
> broken)
>
> I'll bet that if you use the default format on your sending machine,
> and your custom format on the recieving machine, it will do what you
> want.
Ahh, thanks David. I got it now. But, for the forwarding, should I use
RSYSLOG_TraditionalForwardFormat, RSYSLOG_ForwardFormat, or
RSYSLOG_SyslogProtocol23Format (is that even a forwarding format)? We're using
rsyslog 4.6.2, and there's no chance that we'll be sending to any other syslogs
or earlier version of rsyslog.
-Steve
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
