Double checking; is the list dead? I did not receive a bounce. On Saturday, July 29, 2023 at 11:06:28 PM GMT+9, Greg Christopher <gregory_christopher@yahoo.com> wrote: Hi All, Did my best (about a week effort) to find this information online and apologize if it's obvious. I am trying to use syslog-ng as a client to send messages to a syslog compliant server with the proper severity and facility set. I am starting with plain-text log files. The syslog rfc as well as the syslog-ng documentation are pretty clear about the syslog message format itself. There are even syslog-ng functions to substitute severity and facility using a function called "rewrite". But this doesn't seem to work if you are starting with a regular application log. In other words, there is nothing to "rewrite" since this header was never there to begin with. Although I initially configured my application log with flags(no-parse) , I attempted to remove it so that my rewrite attempt would at least have a facility and severity to "rewrite", but this also seems to have failed. Next I attempted prepending "<81>" (8*10 + 1) to the application messages to get the right priority field but this failed to change what the syslog-ng server on the other end received, as I have modified its output to include severity and facility:--- destination d_local { file("/var/log/syslog-ng/$HOST" template("Fac: $FACILITY Pri: $PRIORITY $ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3)); }; --- It does seem to be working properly but the above two approaches to increasing the severity and noting this is a security facility message failed. So it seems this use case where we create syslog entries from scratch sort of throws a curve ball at syslog-ng clients, at least from what I can figure. Any help on how I can set these manually into the destination would be greatly appreciated. Here is my syslog-ng.conf at the moment; note I pull log file name out of environment variable:--- @version: 4.1 # Configure the source to read from the messages log file # no-parse means whole line becomes "message" portion. # Template should indicate security alert to syslog daemon source s_APP_LOG { file(`APP_LOG`); # file(`APP_LOG` flags(no-parse)); }; rewrite set_pri_fields { set-severity("alert"); set-facility("security"); }; destination d_destination { syslog(`syslogServer`); }; # Configure the log statement to route messages from the application log file to # the syslog server specified on the command line log { source(s_APP_LOG); rewrite(set_pri_fields); destination(d_destination); }; ---Greg