<div dir="ltr"><div><div><div><div><div><div>I'm using syslog-ng rpm version 3.12.1-2 on CentOS 7<br><br></div>When we receive events remotely from another CentOS 7 host it uses the RFC5424 format and parses the messages correctly.<br></div>However we have some hosts that are older and still using rsyslog which is using the RFC3164 format - those events do not parse correctly.<br><br></div>My question is what is the best way to get syslog-ng to parse them?</div><div><br></div>This is how they come out:<br><span style="font-size:9pt;font-family:Arial;color:rgb(0,0,0);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre" id="gmail-docs-internal-guid-fb0ece69-0ace-0704-83ab-f0f9463a3a75">{"TAGS":".source.test","SOURCEIP":"127.0.0.1","SOURCE":"test","SEQNUM":"26","PROGRAM":"info","PRIORITY":"notice","MESSAGE":" mig-agent 10430 - - - [info] refreshing agent environment","LEGACY_MSGHDR":"info ","HOST_FROM":"<a href="http://syslog-dev1.private.mdc1.mozilla.com">syslog-dev1.private.mdc1.mozilla.com</a>","HOST":"<a href="http://sanvmadm1.ops.mdc1.mozilla.com">sanvmadm1.ops.mdc1.mozilla.com</a>","FILE_NAME":"/var/log/test.log","FACILITY":"user","DATE":"Jan 17 23:57:52","CATEGORY":"syslog"]<br></span></div><span style="font-size:9pt;font-family:Arial;color:rgb(0,0,0);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre" id="gmail-docs-internal-guid-fb0ece69-0ace-0704-83ab-f0f9463a3a75">Notice the Program says "info" and the mig-agent and pid are in the message key's value.<br><br></span></div><span style="font-size:9pt;font-family:Arial;color:rgb(0,0,0);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre" id="gmail-docs-internal-guid-fb0ece69-0ace-0704-83ab-f0f9463a3a75">This is a correctly parsed event that has those fields parsed properly:<br></span><span style="font-size:9pt;font-family:Arial;color:rgb(0,0,0);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre" id="gmail-docs-internal-guid-fb0ece69-0acf-7310-4264-066c00e8f650">{"TAGS":".source.moz_net","SOURCEIP":"127.0.0.1","SOURCE":"moz_net","SEQNUM":"35","PROGRAM":"mig-agent","PRIORITY":"info","PID":"2698","MESSAGE":"- - - [info] Public IP retrieval failed through proxy <a href="http://proxy.dmz.scl3.mozilla.com:3128">http://proxy.dmz.scl3.mozilla.com:3128</a> - Get <a href="https://api.mig.mozilla.org/api/v1//ip">https://api.mig.mozilla.org/api/v1//ip</a>: proxyconnect tcp: dial tcp <a href="http://10.22.74.78:3128">10.22.74.78:3128</a>: i/o timeout","LEGACY_MSGHDR":"mig-agent[2698]: ","HOST_FROM":"localhost6.localdomain","HOST":"<a href="http://syslog-dev1.private.mdc1.mozilla.com">syslog-dev1.private.mdc1.mozilla.com</a>","FACILITY":"daemon","DATE":"Jan 18 00:02:25","CATEGORY":"syslog"}<br><br></span><span style="font-size:9pt;font-family:Arial;color:rgb(0,0,0);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre" id="gmail-docs-internal-guid-fb0ece69-0ace-0704-83ab-f0f9463a3a75"></span><div><div><div><div><div><div><div><div><br><br>destination d_amqp {<br> amqp(<br> vhost("/")<br> host("localhost")<br> port(5672)<br> exchange("eventtask")<br> exchange-type("direct")<br> routing-key("eventtask")<br> body("$(format-json --scope selected_macros --scope nv_pairs)")<br> persistent(no)<br> username("rabbituser")<br> password("*****")<br> );<br>};<br><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br></div>Alicia Smith<br></div><div>@phrozyn<br>Information Security Engineer<br></div><div><a href="mailto:asmith@mozilla.com" target="_blank">asmith@mozilla.com</a><br><br></div></div></div></div></div></div></div></div>
</div></div></div></div></div></div></div></div></div>