The rfc says a single space separates values, so syslog-ng behavior seems to be correct. You can always chop a space off as a rewrite rule. And with the recent application adapters framework, you can also submit this quirk into syslog-ng, so it is able to fix this behavior out of the box. On Feb 17, 2018 17:29, "Evan Rempel" <erempel@uvic.ca> wrote:

Our VMWare team has been busy upgrading out infrastructure to 6.5 which is great, but the syslogs started showing up as

2018-02-17T07:00:12 esx.host.name auth.info 1 2018-02-17T07:00:12. 162028-08:00 esx.host.name sshd 4662 - - Did not receive identification string from 142.104.139.163 port 51088

which I recognise as RFC5425, So I added the flags(syslog-protocol) to my network source definition. Now the log message arrives much nicer as

2018-02-17T07:48:12 esx.host.name auth.info sshd[20835]: Did not receive identification string from 142.104.139.163 port 42060

but if you look very closely you will notice that there are 2 spaces in "sshd[20835]: Did" and in the original logged message there were 2 spaces preceding the word "Did".

Has anyone seen this before (or currently with your own VMWare 6.5). I'm trying to figure out if this is a bug in syslog-ng or a bug in vCenter 6.5 or a config error on my systems.

Thanks,

Evan.

____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq