On Tue, 2007-11-06 at 10:27 -0500, Mike Fratto wrote:
Baszi,
I am inspecting on the relay itself. Pasted below is the sent message and the relayed message. The sent message appears to be rfc3164 formatted already. In the relayed message, syslog-ng pre-pends the sent time stamp and the hostname onto the existing message. For messages that send raw non rfc-3164 formatted messages, that OK (desired in fact), but sources that do send rfc-3164 formatted messages, it's redundant. I also pasted my config file at the end.
I started out wanting syslog-ng to transparently forward messages. So is what I am seeing the expected behavior?
But after looking more deeply at the sources, what I want to do is have syslog-ng reformat non-rfc3164 messages to that format (which I can do with macros).
mike
10:06:14.322290 IP (tos 0x0, ttl 127, id 29867, offset 0, flags [none], proto UDP (17), length 131) 192.168.14.5.dcs > 192.168.17.212.syslog: SYSLOG, length: 103 Facility mail (2), Severity notice (5) Msg: Nov 06 10:11 example.com 10:11:48.866 2 SMTPI-459393(barracuda.example.com) [10865267] received, 6909 bytes
the problem is that the timestamp is not complete, it does not contain second information. As it is not properly formatted, syslog-ng assumes that it's not RFC3164 and takes the complete line as a message. -- Bazsi