<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="generator" content="Osso Notes">
<title></title></head>
<body>
<p>----- Original message -----
<br>> Andreas Heinlein <<a href="mailto:aheinlein@gmx.com">aheinlein@gmx.com</a>> writes:
<br>>
<br>> > we have a centralised log server running syslog-ng 3.1 OSE on Debian
<br>> > 6.0. On the client side, we were using syslog-ng but now I'd like to
<br>> > use  rsyslog instead (for several reasons).
<br>>
<br>> Independently of the issue below, I'd love to hear the reasons (either
<br>> on-list, or in private).
<br>>
<br>> > Transport should be TLS-encrypted TCP. I have set up a connection
<br>> > between the two, but apparently syslog-ng fails to parse the log
<br>> > messages sent by rsyslog. Every log line goes like this:
<br>> >
<br>> > Nov  6 11:15:31 admin2-desktop syslog-ng[1578]: Error processing log
<br>> > message: <13>Nov  6 11:15:31 admin2-desktop ah: Test4
<br>> >
<br>> > Does anyone have an idea what to configure with either rsyslog or
<br>> > syslog-ng so the two understand each other?
<br>> >
<br>> > Relevant server side config:
<br>> > source s_all { syslog(ip(172.16.x.x) port(6514) max_connections(50)
<br>> > tls(
<br>>  ^^^^^^
<br>>
<br>> This is the issue. You're telling syslog-ng to expect the new syslog
<br>> protocol, but later in the rsyslog.conf, you don't seem to be telling it
<br>> to send that version, so it will use the legacy BSD format instead.
<br>>
<br>> You have two options: either use tcp() on the syslog-ng side, or ask
<br>> rsyslog to forward messages according to the new syslog protocol
<br>> (however it may call it, it's RFC5424 by the way, while RFC3164 is the
<br>> legacy BSD format).
<br>
<br>I have updated the syslog() driver to automatically detect the rfc3164 format. but this happened in 3.3 or 3.4, can't remember which.</p>
</body>
</html>