<38>Aug 2 11:49:23 su: [ID 366847 auth.info] 'su root' succeeded for root
This message is missing the source, which has to be before the Syslogtag,
as it is defined in
RFC3164. So correctly, the
Syslog would have to look
<38>Aug 2 11:49:23 mymaschine su: [ID 366847 auth.info] 'su root'
succeeded for root on /dev/console
In the first message, our Syslog Server treats the SyslogTag value as Source, and doesn't
continue to parse the SyslogTag Value. This will result in an empty
SyslogTag, and wrong parsed source. The problem is that our Syslog Server
does not expect such a message, and so it can't be handled directly.