[syslog-ng] rsyslog client produces "Error processing log message"

[Balazs Scheidler]

----- Original message -----
> Andreas Heinlein <aheinlein at gmx.com> writes:
> 
> > we have a centralised log server running syslog-ng 3.1 OSE on Debian 
> > 6.0. On the client side, we were using syslog-ng but now I'd like to
> > use   rsyslog instead (for several reasons).
> 
> Independently of the issue below, I'd love to hear the reasons (either
> on-list, or in private).
> 
> > Transport should be TLS-encrypted TCP. I have set up a connection
> > between the two, but apparently syslog-ng fails to parse the log
> > messages sent by rsyslog. Every log line goes like this:
> > 
> > Nov   6 11:15:31 admin2-desktop syslog-ng[1578]: Error processing log 
> > message: <13>Nov   6 11:15:31 admin2-desktop ah: Test4
> > 
> > Does anyone have an idea what to configure with either rsyslog or 
> > syslog-ng so the two understand each other?
> > 
> > Relevant server side config:
> > source s_all { syslog(ip(172.16.x.x) port(6514) max_connections(50)
> > tls( 
>                                   ^^^^^^
> 
> This is the issue. You're telling syslog-ng to expect the new syslog
> protocol, but later in the rsyslog.conf, you don't seem to be telling it
> to send that version, so it will use the legacy BSD format instead.
> 
> You have two options: either use tcp() on the syslog-ng side, or ask
> rsyslog to forward messages according to the new syslog protocol
> (however it may call it, it's RFC5424 by the way, while RFC3164 is the
> legacy BSD format).

I have updated the syslog() driver to automatically detect the rfc3164 format. but this happened in 3.3 or 3.4, can't remember which.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20121108/ec9d7f8b/attachment-0001.htm