Hey Matthew,<div><br></div><div>That was it, thanks!</div><div><br></div><div>For people reading this after the fact, I am running syslog-ng-3.1.2-1.rhel5. Using one of the following to sources will work with rfc5424:</div>
<div><div>source s_udp { syslog( ip(0.0.0.0) port(514) transport(udp)); };</div><div>source s_udp { udp(flags(syslog-protocol)); };</div><div><br></div><div>This one does not parse correctly:</div><div><div>source s_udp { udp(); };</div>
</div><div><br></div><div>Regards,</div><div><br></div><br><div class="gmail_quote">On Thu, Feb 3, 2011 at 6:34 PM, Matthew Hall <span dir="ltr"><<a href="mailto:mhall@mhcomputing.net">mhall@mhcomputing.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Thu, Feb 03, 2011 at 05:11:08PM -0800, Lance Laursen wrote:<br>
> Unfortunately it is showing up in logs as this:<br>
><br>
> 2011-02-03T22:45:30+00:00 localhost 1 2011-02-03T22:14:15.003Z superhostomg<br>
> process - ID47 [exampleSDID@32473 iut="9" eventSource="rawr" eventID="69"]<br>
> Message portion. Test log with structured data.<br>
><br>
> So all of the metadata is being printed to $MSG. What am I doing wrong?<br>
<br>
</div>Depending on syslog-ng version you probably need this flag:<br>
<br>
syslog-protocol<br>
<br>
<a href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/index.html-single.html#configuring_sources_syslog" target="_blank">http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/index.html-single.html#configuring_sources_syslog</a><br>
<br>
Regards,<br>
<font color="#888888">Matthew.<br>
</font><div><div></div><div class="h5">______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div></div></blockquote></div><br>
</div>