[syslog-ng] Extra characters at beginning of line

chris packham chris.packham at alliedtelesis.co.nz
Wed Jan 7 21:36:20 CET 2009

"<134>" is the encoding of the facility severity as per RFC 3164 http://www.ietf.org/rfc/rfc3164.txt (section 4.1.1).

Hopefully someone else on the list can point out why its appearing in your log messages. Can you post your syslog-ng version (syslog-ng -V) and relevant parts of your syslog-ng.conf file.

>>> Florian Hines <lists at syn-recon.net> 01/08/09 8:59 AM >>> 
Hi Everyone,

I'm running into an issue where syslog-ng is adding extra characters to
beginning of every line.  Specifically, "<134>" is getting inserted
right before the time stamp:

<134>Jan  7 13:06:17 host1 kernel: device eth0 entered promiscuous mode

This syslog-ng server is sending traffic to a remote Splunk instance
(using TCP, not UDP), at first I though it was Splunk adding the
characters but when I did a tcpdump on syslog-ng's outbound connection I
found that they where already present.

In addition to sending this traffic to Splunk the syslog-ng instance
also log's local to a file.  The <134> doesn't show up in the local file.

Anyone have any ideas where this is coming from ?

Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list