See below. > >>>> The first rsyslog server uses the config below, so template is: > >>>> $template > >>>> rel,"%fromhost% %fromhost-ip% %rawmsg%\n" > >>>> The recieving rsyslog server uses this template and logs to file: > >>>> $template raw,"%rawmsg%" > >>> > >>> > >>> > >>> Ok, if the sending server is using the template rel to send the message > >>> to > >>> the second server you have a problem (this is what I thought was > >>> happening > >>> with the omspoof config above) > >>> > >>> a valid syslog message is > >>> <###>timestamp hostname syslogtag[pid]: message > >>> > >>> you are sending > >>> > >>> hostname ip <###>timestamp hostname syslogtag[pid]: message > >>> > >>> the receiving message is going to try to 'do the right thing' and correct > >>> for the malformed message, but it's unlikely to be right all the time. > >>> > >>> the fact that you are getting framing errors indicates that the sending > >>> server is doing something very wrong > >>> > >> > >> I guess there is a numeric hostname. That would trigger octet-counted > >> framing, and that in turn could trigger the error message. > > > > > > or just no DNS for the hostname, so that field contains an IP address > > instead. > > indeed, that's the most probably cause. > > Rainer
Hi together, Thanks for all your support. Never the less I did not get that at all: What I want to do is to set a prefix consisting of "original" Source and hostname before the raw message and keep the raw message as it is without any modification. >From my understanding, the raw-message is keept and concatinated to the new >syslog message sent. I also think, that octet-counted framing should never apply to the message-contents, because we never know if a syslog message might not contain one ore more exotic strings. Actually in the most cases it seems to work as expected: 2015-04-29T10:58:01.108756+02:00 localhost localhost ::1 Real-syslog-Message So, what is my mistake and what possibilities do I have to archive my aim without conflicts? best regards Chris _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
