On Tue, 26 Jun 2018 at 00:09, Scheidler, Balázs < balazs.scheidler@balabit.com> wrote:
This list is not official support for Balabit's products and I am not really an rsyslog expert, but let me try to help.
I think the issue might be related to "framing", e.g. syslog-ng configured to expect framing whereas rsyslog not doing it. This page:
https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
contains a parameter which is TCP_framing that defaults to "no".
In that case, syslog-ng will drop the connection if the framing is not there. See https://tools.ietf.org/html/rfc5425#section-4.3 for a description on what framing is and how it works.
Thanks Bazsi, appreciate the hint, you put me on the right track. For those that come behind me, the major issue I found was the allowed data in the conf file - there didn't seem to be any documentation at all about what values TCP_Framing could take. Case insensitively the following didn't work: yes, true, on Trial and error/guess work discovered that the correct syntax to get this working is "octet-counted" [root@host02 /etc/rsyslog.d]# cat tcp601.conf *.* action(type="omfwd" queue.type="LinkedList" queue.filename="example_fwd_tcp_601" action.resumeRetryCount="-1" queue.saveonshutdown="on" template="RSYSLOG_SyslogProtocol23Format" target="10.126.19.45" Port="601" Protocol="tcp" TCP_Framing="octet-counted") Cheers L.