Gergely Nagy <algernon <at> balabit.hu> writes:
Andreas Heinlein <aheinlein <at> gmx.com> writes:
we have a centralised log server running syslog-ng 3.1 OSE on Debian 6.0. On the client side, we were using syslog-ng but now I'd like to use rsyslog instead (for several reasons).
Independently of the issue below, I'd love to hear the reasons (either on-list, or in private).
The main reason is that syslog-ng randomly goes to 100% CPU on the clients (Ubuntu 12.04, previously we used 10.04 and syslog-ng which worked just fine), and I've been trying for several days now to figure out why. So I've decided to try and switch to rsyslog.
Transport should be TLS-encrypted TCP. I have set up a connection between the two, but apparently syslog-ng fails to parse the log messages sent by rsyslog. Every log line goes like this:
Nov 6 11:15:31 admin2-desktop syslog-ng[1578]: Error processing log message: <13>Nov 6 11:15:31 admin2-desktop ah: Test4
Does anyone have an idea what to configure with either rsyslog or syslog-ng so the two understand each other?
Relevant server side config: source s_all { syslog(ip(172.16.x.x) port(6514) max_connections(50) tls( ^^^^^^
This is the issue. You're telling syslog-ng to expect the new syslog protocol, but later in the rsyslog.conf, you don't seem to be telling it to send that version, so it will use the legacy BSD format instead.
You have two options: either use tcp() on the syslog-ng side, or ask rsyslog to forward messages according to the new syslog protocol (however it may call it, it's RFC5424 by the way, while RFC3164 is the legacy BSD format).
I suspected that, but I can't figure out what to configure in rsyslog.conf then. I thought that it would use the new RFC5424 when *not* using RSYSLOG_TraditionalForwardFormat, but maybe it doesn't. I should probably ask on the rsyslog mailing list then. The other way round would break existing syslog-ng clients, that is no option. Thanks for your effort! Andreas