Hmmm - looks like (maybe) the message part is not being parsed correctly at the rsyslog server - the MSG part seems to have a syslog message header including a TIMESTAMP the HOSTNAME of the originating server MD_FWPA01 followed by the rest of the MSGI may be missing something - and it might not be RFC 5424 https://tools.ietf.org/html/rfc5424 compliant - but I think the rsyslogd is wrapping the whole thing in another header before it is being sent along.JimOn Mon, Feb 5, 2018 at 3:50 PM, Scot <scotrn@gmail.com> wrote:______________________________The Msg: header seems to be formatted correctly. Relabeled some data.15:44:07.886743 IP (tos 0x10, ttl 64, id 8925, offset 0, flags [none], proto UDP (17), length 513)RSYSLOG_RELAYIP.58828 > IDS_TARGETIP.syslog: SYSLOG, length: 485Facility local0 (16), Severity info (6)Msg: 1 2018-02-05T15:44:07-05:00 MD_FWPA01 1,2018/02/05 - - - 15:44:07,007801000484,TRAFFIC,drop,1,2018/02/05 15:44:07,10.162.57.38,172.217. 3.36,0.0.0.0,0.0.0.0,Default-D eny-Log,,,not-applicable,vsys1 ,SOUND-Trust,SOUND-Untrust, ae2.100,,SOUND-LogForwarder, 2018/02/05 15:44:07,0,1,60886,443,0,0,0x4 000,udp,deny,1396,1396,0,1,201 8/02/05 15:44:07,0,any,0,95104452051,0 x0,10.0.0.0-10.255.255.255,US, 0,1,0,policy-deny,21,12,23,0, SOUND,MD_FWPA01,from-policy\0x 0a ______________________________ __________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________ __________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq