Looks like messaged are being properly filtered now. I substituted “syslog” with “network”, and the parsing errors went away. However, I’m not sure of the implications of this change? Network() source options vs. syslog() source options. source s_network { ## syslog(transport("udp") port(528)); network(transport("udp") port(528)); From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of David Campeau Sent: Friday, June 22, 2018 3:04 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] syslog-ng parsing Error Thank you for the response. This is how the source is set up and is listening. It is expecting UDP on port 528. You mentioned syslog(), but does my example need to be tweaked in some way? source s_network { syslog(transport("udp") port(528)); Best Regards, From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Scheidler, Balázs Sent: Friday, June 22, 2018 12:44 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] syslog-ng parsing Error On Jun 21, 2018 18:11, "David Campeau" <David.Campeau@tn.gov<mailto:David.Campeau@tn.gov>> wrote: Hello, I have a syslog source node sending syslogs, and they are being generated via a python script, and is using Python Rfc5426SysLogHandler. So, these syslog messages should be RFC compliant. However, syslog-ng does prepend an error message before sending it on to be put into storage. Example error message from syslog-ng = <43>Jun 21 10:27:38 syslog-ng-Server syslog-ng[2559]: Error processing log message: xxxxx timestamp, source hostname and payload follows. I’ve done some googling, but haven’t been able to find out what error 2559 means. 2559 is the pid of the syslog-ng process. Any thoughts of what I might do to determine what syslog-ng isn’t liking about the syslog it is receiving? I need to relay this information to a developer so they can make adjustments to the python script. After the colon the original message is reproduced verbatim, but as far as I understand you changed that so judging why parsing failed is not possible. One usual suspect is that you are using legacy bsd style source, wheras your message is in the 5424 format. Using the syslog() source instead of tcp/udp can help. Hope this helps. Best regards, David ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq