Hi Barry, I think the problem is that the remote server expects a RFC-3164 or RFC-5424 formatted message. It also tries to guess stuff if your messages aren't compatible, but I wouldn't count on that.
Where do you want your tag to live? Beginning of the message? In the place of the actual syslog tag? Here's a template for RFC-3164, that will work with old rsyslogs: $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%" Now, you can add your tag wherever you want. Like, if you want it at the beginning of the message, your custom template could be: $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%CUSTOM_TAG %msg%" On Tue, Apr 1, 2014 at 7:25 AM, Barry Haycock <[email protected]>wrote: > > > Hi, > > I have a large number of RedHat servers mostly running RHEL 6.x and the > default 5.x Rsyslog software. > > Upgrading to the next major release is out of the question at this time as > this is at a client site. > > I have been trying to add a tag to a different log types. > > At the moment the log is being written locally and to the remote server. > The same tag is being applied to both instances of the log but the remote > server is receiving the unedited version of the log entry while the local > log is receiving the edited version. > > Tag: > > $template VLMessagesFwd, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% _XXXX > %TIMESTAMP:::DATE-RFC3339" %HOSTNAME%%msg:::sp-if-no-1st-sp%%msg%\n" > > *.info;mail.none;authpriv.none;cron.none > /var/log/messages;VLMessagesFwd > > & @@Server-002.<DOMAIN>:6172;VLMessagesFwd > > in this case the tag is being applied to /var/log/messages but not the > remote server even though the logs are arriving at the remote server > > Running the server in debug shows the template being applied to both the > local log entry and the remote server. via cfline entries > > cfline: '*.info;mail.none;authriv.none;cron.none > /var/log/messages;VLMessagesFwd > > template: 'VLMessagesFwd' assigned > > & > > cfline: '& @@Server-002.<DOMAIN>:6172;VLMessagesFwd' > > template: 'VLMessagesFwd' assigned > > I have more debug output if it is required . > > Any ideas on what is missing? > > -- > > Barry > > (M) 0411 064 000 > (F) 02 6257 7308 > > Banpen Fugyou - 10,000 Changes, No surprises > > Key Fingerprint: 4CFF 5276 1BF5 DFD4 684B CBD2 E414 6292 D40E BBFD > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
