----- Original message -----
Andreas Heinlein <aheinlein@gmx.com> writes:
we have a centralised log server running syslog-ng 3.1 OSE on Debian 6.0. On the client side, we were using syslog-ng but now I'd like to use rsyslog instead (for several reasons).
Independently of the issue below, I'd love to hear the reasons (either on-list, or in private).
Transport should be TLS-encrypted TCP. I have set up a connection between the two, but apparently syslog-ng fails to parse the log messages sent by rsyslog. Every log line goes like this:
Nov 6 11:15:31 admin2-desktop syslog-ng[1578]: Error processing log message: <13>Nov 6 11:15:31 admin2-desktop ah: Test4
Does anyone have an idea what to configure with either rsyslog or syslog-ng so the two understand each other?
Relevant server side config: source s_all { syslog(ip(172.16.x.x) port(6514) max_connections(50) tls( ^^^^^^
This is the issue. You're telling syslog-ng to expect the new syslog protocol, but later in the rsyslog.conf, you don't seem to be telling it to send that version, so it will use the legacy BSD format instead.
You have two options: either use tcp() on the syslog-ng side, or ask rsyslog to forward messages according to the new syslog protocol (however it may call it, it's RFC5424 by the way, while RFC3164 is the legacy BSD format).
I have updated the syslog() driver to automatically detect the rfc3164 format. but this happened in 3.3 or 3.4, can't remember which.