A second possibility on top of the items Jerry pointed out such as possibly using wrong facilities on the sources, etc. I see you have set the no_parse flag on your syslog socket. This instructs Syslog that your messages are non standard or should be handled in a raw fashion. This causes Syslog to be incapable of determining facility, severity, hostname, and tag information. Since it appears nginx is sending properly made messages this is likely not what you want. In order to confirm you should take a tcpdump with -s 0 to capture entire frames, and load this in Wireshark or tshark with -V option to look at the payload of the Syslog packets and compare it against what's written in these RFCs and documents: http://www.ietf.org/rfc/rfc3164.txt http://www.ietf.org/rfc/rfc5424.txt http://www.monitorware.com/common/en/articles/syslog-described.php http://www.networksorcery.com/enp/protocol/syslog.htm There are many more. You need to be sure you are handling the things you are receiving appropriately for the format which is being sent to you. If you have some messages which should be parsed and some which should not, these should be sent onto separate ports so you can have the right flags set on each port. HTH, Matthew. On Wed, Sep 08, 2010 at 06:03:33PM -0400, Jerry Bell wrote:
On 9/8/2010 5:31 PM, Charlie Reddington wrote:
# External Syslog source s_external { udp(ip("0.0.0.0") port(514) flags(no_parse)); };