<div dir="auto"><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Jun 21, 2018 18:11, "David Campeau" <<a href="mailto:David.Campeau@tn.gov">David.Campeau@tn.gov</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="EN-US" link="blue" vlink="purple">

<div class="m_5726387106009549887WordSection1">

<p class="MsoNormal">Hello,<u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal">I have a syslog source node sending syslogs, and they are being generated via a python script, and is using Python

<span style="color:black">Rfc5426SysLogHandler.  So, these syslog messages should be RFC compliant.  However, syslog-ng does prepend an error message before sending it on to be put into storage.

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="color:black"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="color:black">Example error message from syslog-ng =  

</span><span style="font-size:9.0pt;font-family:"Courier New";color:black;background:white"><43>Jun 21 10:27:38 </span><b><span style="font-size:9.0pt;font-family:"Courier New";color:#953735;background:white">syslog-ng-<wbr>Server

 syslog-ng[2559]: </span></b><b><span style="font-size:10.0pt;font-family:"Courier New";color:#953735;background:white">Error <wbr>processing log message:</span></b><span style="font-size:9.0pt;font-family:"Courier New";color:#953735;background:white"> 

</span><span style="font-size:9.0pt;font-family:"Courier New";color:black;background:white">xxxxx timestamp, source hostname and payload follows.

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";color:black;background:white"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="color:black;background:white">I’ve done some googling, but haven’t been able to find out what error 2559 means.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="color:black;background:white"><u></u> </span></p></div></div></blockquote></div></div></div><div dir="auto">2559 is the pid of the syslog-ng process.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div class="m_5726387106009549887WordSection1"><p class="MsoNormal"><span style="color:black;background:white"><u></u></span></p>

<p class="MsoNormal"><span style="color:black;background:white">Any thoughts of what I might do to determine what syslog-ng isn’t liking about the syslog it is receiving?  I need to relay this information to a developer so they can make adjustments to the python

 script.<u></u><u></u></span></p>

<p class="MsoNormal"></p></div></div></blockquote></div></div></div><div dir="auto">After the colon the original message is reproduced verbatim, but as far as I understand you changed that so judging why parsing failed is not possible.</div><div dir="auto"><br></div><div dir="auto">One usual suspect is that you are using legacy bsd style source, wheras your message is in the 5424 format.</div><div dir="auto"><br></div><div dir="auto">Using the syslog() source instead of tcp/udp can help.</div><div dir="auto"><br></div><div dir="auto">Hope this helps.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div class="m_5726387106009549887WordSection1"><p class="MsoNormal"><span style="color:black;background:white"><u></u></span></p>

<p class="MsoNormal"><span style="color:black;background:white">Best regards,<font color="#888888"><u></u><u></u></font></span></p><font color="#888888">

<p class="MsoNormal"><span style="color:black;background:white"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="color:black;background:white">David<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";color:black;background:white"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";color:black;background:white"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="color:black"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="color:black"><u></u> <u></u></span></p>

<p class="MsoNormal"><u></u> <u></u></p>

</font></div>

</div>

<br>______________________________<wbr>______________________________<wbr>__________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>

<br>

<br></blockquote></div><br></div></div></div>