I am observing the following behaviour when logging to syslog from an external application: if I send a well-formed syslog message to a UDP socket, rsyslog correctly parses it, however if the very same message is sent to a UNIX domain socket (/dev/log), it is not parsed at all (rsyslog basically assumes, that everything, that he received, is a message, so no timestamp, no anything).
The message in question is
<142>1 2010-12-29T11:11:11Z foo bar 123 baz - A Message
which is parsed as
Dec 29 11:11:11 foo bar[123] A Message
unless it isn't.
Probably you should send the message without the hostname (foo) and in rfc3164 format (not rfc5424 as the above) to get it parsed.
When parsing messages rsyslog does its best to make sense of it.
For a message received from an Unix socket, rsyslog accepts RFC 3164-like messages, using these fields:
pri,timestamp,tag, andcontent.It accepts various message formats, like :
just a message<pri>message<pri>tag: msgAbout the message timestamps:
SysSock.IgnoreTimestampoption is enabled by default, your timestamps will be ignored until you disable this option.The
hostnamefield cannot be overridden. rsyslog will always get it from its configuration.