Thanks for the quick answer Chris!
I have not personally run across any devices that are not supporting RFC 3164 yet, but I'm sure we will see more and more. Especially since the message content is structured.
Here's how I would go about handling it though... Setup Option under Inputs \ UDP - Support for RFC 5424 [] check box.
All RFC 3164 messages should be converted to RFC 5424 and allow NULL values for those messages. It's not the best implimentation, but it would allow Kiwi users the option to use it or not and would not slow down the message processing as much as trying to determine which format the Syslog messages are in.
Yes, we would have to re-structure our database tables, possibly seperate our log files, and fix our parsing routines in many cases, but only if we check the "RFC 5424 Support" check box in setup. Otherwise our 3164 formatted messages will continue to come in just fine and the RFC 5424 messages will be outcasts.
If you can move this to feature requests, I'll put my vote in.