[syslog-ng] rsyslog client produces "Error processing log message"

Gergely Nagy algernon at balabit.hu
Tue Nov 6 14:45:48 CET 2012


Andreas Heinlein <aheinlein at gmx.com> writes:

> we have a centralised log server running syslog-ng 3.1 OSE on Debian 
> 6.0. On the client side, we were using syslog-ng but now I'd like to use 
> rsyslog instead (for several reasons).

Independently of the issue below, I'd love to hear the reasons (either
on-list, or in private).

> Transport should be TLS-encrypted TCP. I have set up a connection
> between the two, but apparently syslog-ng fails to parse the log
> messages sent by rsyslog. Every log line goes like this:
>
> Nov  6 11:15:31 admin2-desktop syslog-ng[1578]: Error processing log 
> message: <13>Nov  6 11:15:31 admin2-desktop ah: Test4
>
> Does anyone have an idea what to configure with either rsyslog or 
> syslog-ng so the two understand each other?
>
> Relevant server side config:
> source s_all { syslog(ip(172.16.x.x) port(6514) max_connections(50) tls( 
                 ^^^^^^

This is the issue. You're telling syslog-ng to expect the new syslog
protocol, but later in the rsyslog.conf, you don't seem to be telling it
to send that version, so it will use the legacy BSD format instead.

You have two options: either use tcp() on the syslog-ng side, or ask
rsyslog to forward messages according to the new syslog protocol
(however it may call it, it's RFC5424 by the way, while RFC3164 is the
legacy BSD format).

-- 
|8]



More information about the syslog-ng mailing list