On Fri, 2011-02-04 at 11:55 -0800, Lance Laursen wrote:
Hey Matthew,
That was it, thanks!
For people reading this after the fact, I am running syslog-ng-3.1.2-1.rhel5. Using one of the following to sources will work with rfc5424: source s_udp { syslog( ip(0.0.0.0) port(514) transport(udp)); }; source s_udp { udp(flags(syslog-protocol)); };
This one does not parse correctly: source s_udp { udp(); };
yup, this is the legacy source. the preferred format is to use the syslog() driver, the flags() stuff is there for mere completeness. The reason is: TCP syslog-ng is able to use the old-style, framing-less protocol by using tcp(flags(syslog-protocol)), whereas syslog(transport(tcp)) uses framing too. udp(flags(syslog-protocol)) is the same as syslog(transport(udp)) -- Bazsi