[syslog-ng] vCenter 6.5 RFC5425 prefacing messages with a space

Evan Rempel erempel at uvic.ca
Sat Feb 17 16:28:58 UTC 2018

Our VMWare team has been busy upgrading out infrastructure to 6.5 which 
is great, but the syslogs started showing up as

2018-02-17T07:00:12 esx.host.name auth.info 1 
2018-02-17T07:00:12.162028-08:00 esx.host.name sshd 4662 - -  Did not 
receive identification string from port 51088

which I recognise as RFC5425, So I added the flags(syslog-protocol) to 
my network source definition. Now the log message arrives much nicer as

2018-02-17T07:48:12 esx.host.name auth.info sshd[20835]:  Did not 
receive identification string from port 42060

but if you look very closely you will notice that there are 2 spaces in 
"sshd[20835]:  Did" and in the original logged message there were 2 
spaces preceding the word "Did".

Has anyone seen this before (or currently with your own VMWare 6.5). I'm 
trying to figure out if this is a bug in syslog-ng or a bug in vCenter 
6.5 or a config error on my systems.



More information about the syslog-ng mailing list