[syslog-ng] Issues while using Syslog destination driver

[Balazs Scheidler]

On Tue, 2010-12-28 at 09:27 -0800, Amit Khare wrote:
> Hi,
>  
> I am getting a weird issues while using the syslog destination driver.
> I am sending an xml message to syslog (syslog-ng 3.1) and forwarding
> the message over to another destination. 
>  
> The relevant entries in my syslog.conf look as following:
>  
> filter f_atna { facility(local7); };
>  
> destination d_loghost { syslog("19.16.2.9" transport("tcp") port(6514)
> template("$MESSAGE")); };
>  
> log { source(src); filter(f_atna); destination(d_loghost); };
>  
> The problem I am running into is that the xml message is not getting
> processed on the other side because I am getting some weird characters
> are getting added in the xml message:
>  
> <?xml - - - version="1.0" encoding="UTF-8"?>
> 
> 
>  
> 
> The above xml tag is constant in my program and therefore I am not
> inserting it and I don't even see it in /var/log/localmessages
> 
> 
>  
> Dec 28 11:01:07 10.15.1.1 <?xml version="1.0" encoding="UTF-8"?>
>  
> but when I do see it in my tcpdump I do see it. 
>  
> I am not seeing these weird dashes when I use the tcp destination
> driver but the message is not in the required format so it blows up on
> the other side. 
>  
> Has anyone seen this issue before?  Any help will be greatly
> appreciated. 
>  

How is your "src" source defined? your original post lacked this detail.

Those dashes seem to be the "no-such-value-defined" special values for
various RFC5424 fields, so I'm assuming that your "src" source is using
the syslog() driver too.

Exactly how is the message formatted sent to your "src" source. Strictly
on-the-wire format, e.g. preferably tcpdump or strace.

-- 
Bazsi