Syslog facility lost while sending long messages

View thread

antiBILLotic

I'n using nxlog to send logs from Windows Event Log to rsyslogd.

To identify my Windows hosts, i use local6 facility. So they are logged to a separate folder based on IP and facility: local6 messages are logged to /var/log/hosts/windows/SERVER_IP/remote.log, all other facilities (non-local6) are logged to /var/hosts/linux/SERVER_IP/remote.log

The thing is, i sometimes find new messages in /var/log/hosts/linux/WINSERVER_IP/remote.log, which are (mostly) a part of other windows Event Log messages. Looks like big messages from Event Log are split into fragments, the first one gets the local6 facility (via SyslogFacilityValue) and is logged to windows-log folder (correct behavior), the rest get another facility value (which is unknown for me) and are logged to linux-log folder (incorrect behavior).

My nxlog config (part of it):

<Extension syslog>

                Module xm_syslog

</Extension>

<Input in>

    Module      im_msvistalog

                Exec $SyslogFacilityValue = 22;

</Input>

 

<Processor eventlog_transformer>

                Module pm_transformer

                Exec $Hostname = hostname();

                OutputFormat syslog_rfc5424

</Processor>

 

<Output out>

    Module      om_tcp

    Host        10.7.1.20

    Port        514

                Exec $raw_event = replace($raw_event, "\r\n", " ");

                Exec $raw_event = replace($raw_event, "\t", " ");

</Output>

 

<Route 1>

    Path        in => eventlog_transformer => out

</Route>

Is there a way to strictly specify local6 facility to all outgoing syslog-type messages and their parts, if they get split?