You sir, are a god send. :) I should have formatted my question this way the first time. On Sep 8, 2010, at 5:16 PM, Matthew Hall wrote:
A second possibility on top of the items Jerry pointed out such as possibly using wrong facilities on the sources, etc.
I see you have set the no_parse flag on your syslog socket.
This instructs Syslog that your messages are non standard or should be handled in a raw fashion. This causes Syslog to be incapable of determining facility, severity, hostname, and tag information. Since it appears nginx is sending properly made messages this is likely not what you want.
This is actually exactly what was wrong with this. I had my doubts about this parse flag, but I was a bit unsure of what it did or didn't do. And we where using it in another location, so I was using that as my template. The way you explained it though, makes perfect sense. I removed it, and everything starting logging the way I expected it to.
There are many more. You need to be sure you are handling the things you are receiving appropriately for the format which is being sent to you.
If you have some messages which should be parsed and some which should not, these should be sent onto separate ports so you can have the right flags set on each port.
Duly noted, I'll make sure to do that when I bring the rest of our gear into the mix with this host. Thanks both of you for the help! Charlie