Hey Matthew, That was it, thanks! For people reading this after the fact, I am running syslog-ng-3.1.2-1.rhel5. Using one of the following to sources will work with rfc5424: source s_udp { syslog( ip(0.0.0.0) port(514) transport(udp)); }; source s_udp { udp(flags(syslog-protocol)); }; This one does not parse correctly: source s_udp { udp(); }; Regards, On Thu, Feb 3, 2011 at 6:34 PM, Matthew Hall <mhall@mhcomputing.net> wrote:
On Thu, Feb 03, 2011 at 05:11:08PM -0800, Lance Laursen wrote:
Unfortunately it is showing up in logs as this:
2011-02-03T22:45:30+00:00 localhost 1 2011-02-03T22:14:15.003Z superhostomg process - ID47 [exampleSDID@32473 iut="9" eventSource="rawr" eventID="69"] Message portion. Test log with structured data.
So all of the metadata is being printed to $MSG. What am I doing wrong?
Depending on syslog-ng version you probably need this flag:
syslog-protocol
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guid...
Regards, Matthew.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html