Incomplete RFC3164 header for remote logging

[vaygr]

I've bumped into this issue when I decided to test log shipping to fluent-bit. It seems metalog doesn't really comply with the default RFC3164 syntax parser, which is this:

^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$

But metalog sends just the last 2 bits, which are ident and message, for example:

[rsyncd] module-list request from UNDETERMINED (127.0.0.1)

As confirmed by this tcpdump:

 00:00:00.000084 AF IPv4 (2), length 91: 10.10.0.4.55797 > 10.10.0.2.4514: UDP, length 59
E..W].@.@...

..

.......C.F[rsyncd] module-list request from UNDETERMINED (127.0.0.1)

Thankfully I can just customize the parser, but the original timestamp and host would be really helpful in a multi-host environment. The former is also very important forensics-wise. To quote RFC3164#4.2:

   There are no set requirements on the contents of the syslog packet as
   it is originally sent from a device.  It should be reiterated here
   that the payload of any IP packet destined to UDP port 514 MUST be
   considered to be a valid syslog message.  It is, however, RECOMMENDED
   that the syslog packet have all of the parts described in Section 4.1
   - PRI, HEADER and MSG - as this enhances readability by the recipient
   and eliminates the need for a relay to modify the message.