On Fri, Sep 04, 2015 at 06:42:06AM +0200, Scheidler, Balázs wrote: > you are right, it is a huge oversight. can you pls suggest an on wire > format how this should work? As far as RFC5424 is concerned, how about using a specific SDATA key with balabit's IANA enterpriseId? For JSON this could be a special prefix like `.syslog_ng.TAGS`