On Wed, 2009-04-22 at 11:08 -0500, adam.j.brendamour@accenture.com wrote:
I am using the syslog() drivers to send and receive messages. The original message polled from a file log is: [16/Apr/2009:09:31:02 -0700] "GET / HTTP/1.1" 302 427 "-" "-"
Syslog-ng then sends the message to the relay server, adding the header to the original message: 16 09:31:07 hostname IP - -
this seems to be a new style format, although it is a little bit garbled. Could you send me a tcpdump/strace that shows the exact characters sent and received?
The syslog-ng relay collects the messages and forwards them on to another source and the header gets changed to this: Apr 16 09:31:07 relay_IP 125 <0>1 2009-04-16T09:31:02-07:00 hostname - - - - IP - -
I am using the syslog() drivers across the board on the client and relay. Unfortunately, through testing and research, I have not found a way to stop these headers from being created at the beginning of the syslog messages.
Are you sure you are receiving this message with the syslog() driver? The above case clearly indicates that syslog-ng processed it in non-syslog mode. -- Bazsi