<div dir="ltr">I replaced syslog-ng on the relay to work around this. </div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 5, 2018 at 7:20 PM, Jim Hendrick <span dir="ltr"><<a href="mailto:james.r.hendrick@gmail.com" target="_blank">james.r.hendrick@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hmmm - looks like (maybe) the message part is not being parsed correctly at the rsyslog server - the MSG part seems to have a syslog message header including a TIMESTAMP the HOSTNAME of the originating server MD_FWPA01 followed by the rest of the MSG<div><br></div><div>I may be missing something - and it might not be RFC 5424 <a href="https://tools.ietf.org/html/rfc5424" target="_blank">https://tools.ietf.org/<wbr>html/rfc5424</a> compliant - but I think the rsyslogd is wrapping the whole thing in another header before it is being sent along.</div><div><br></div><div>Jim</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Mon, Feb 5, 2018 at 3:50 PM, Scot <span dir="ltr"><<a href="mailto:scotrn@gmail.com" target="_blank">scotrn@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div>The Msg: header seems to be formatted correctly. Relabeled some data. </div><div><br></div><div>15:44:07.886743 IP (tos 0x10, ttl 64, id 8925, offset 0, flags [none], proto UDP (17), length 513)</div><div> <b>RSYSLOG_RELAYIP</b>.58828 > <b>IDS_TARGETIP</b>.syslog: SYSLOG, length: 485</div><div><span style="white-space:pre-wrap"> </span>Facility local0 (16), Severity info (6)</div><div><span style="white-space:pre-wrap"> </span>Msg: 1 2018-02-05T15:44:07-05:00 MD_FWPA01 1,2018/02/05 - - - 15:44:07,007801000484,TRAFFIC,<wbr>drop,1,2018/02/05 15:44:07,10.162.57.38,172.217.<wbr>3.36,0.0.0.0,0.0.0.0,Default-D<wbr>eny-Log,,,not-applicable,vsys1<wbr>,SOUND-Trust,SOUND-Untrust,<wbr>ae2.100,,SOUND-LogForwarder,<wbr>2018/02/05 15:44:07,0,1,60886,443,0,0,0x4<wbr>000,udp,deny,1396,1396,0,1,201<wbr>8/02/05 15:44:07,0,any,0,95104452051,0<wbr>x0,10.0.0.0-10.255.255.255,US,<wbr>0,1,0,policy-deny,21,12,23,0,<wbr>SOUND,MD_FWPA01,from-policy\0x<wbr>0a</div></div>
<br></div></div>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>