On Mon, 25 Jun 2018 at 11:21, Lachlan Musicman <datakid@gmail.com> wrote:
I don't understand why this isn't working? I'm not seeing any data in our Balabit appliance.

I have a regular default installation of CentOS 7.5, and have followed the RedHat 7 rsyslog directions with regard to setting up a new message filter:

I've added a singe file to /etc/rsyslog.d/

[root@host02 /etc/rsyslog.d]#  cat tcp601.conf
*.* action(type="omfwd"
queue.type="LinkedList"
queue.filename="example_fwd_tcp_601"
action.resumeRetryCount="-1"
queue.saveonshutdown="on"
template="RSYSLOG_SyslogProtocol23Format"
target="10.126.19.45" Port="601" Protocol="tcp")

But I'm not getting anything at the appliance?

The Appliance Log Source seems to be set up correctly (no licensing issues, port 601 is set, Syslog format (I was told that is RFC 5425) selected).

Note that when we change the Appliance Source to legacy instead of Syslog, the above works - but doesn't parse well with that template in rsyslog -- program is listed as <digit> and all other data is in the msg field? Removing the template line does give us a normal "legacy" format.

Cheers
L.