On Wed, 25 Apr 2012, Steven Willis wrote:
when the remote system receives the message, if you have not loaded a specific parser module it assumes that what it's receiving is in the traditional syslog format.in your first example, hostname:{%hostname%} triggers something in the parsing logic that says that this can't be a legitimate hostname, so it puts the IP address of the sender in the hostname field instead. In the second case, this heuristic doesn't get triggered, so it puts the result of 'hostname{%hostname%}' in the hostname field, so it does what you are expecting. The short version is not to muck with the formatting until you arrive at your final destination (unless you need to fix something that's broken) I'll bet that if you use the default format on your sending machine, and your custom format on the recieving machine, it will do what you want.Ahh, thanks David. I got it now. But, for the forwarding, should I use RSYSLOG_TraditionalForwardFormat, RSYSLOG_ForwardFormat, or RSYSLOG_SyslogProtocol23Format (is that even a forwarding format)? We're using rsyslog 4.6.2, and there's no chance that we'll be sending to any other syslogs or earlier version of rsyslog.
the difference between Tradtional and other is the accracy of the timestamp. If you are happy with the standard month day hh:mm:ss timestamp, traditional works. If you want the timestamp to include the timezone and sub-second accuracy, then use the RSYSLOG_ForwardFormat
David Lang
-Steve _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
