When using custom scripts to send events to LogLogic LMI via TCP syslog you must use a specific syslog header format for LMI to properly process them. Here is an example of the format:
"<13>Jul  2 17:29:35 172.16.0.125 "

Note that this is only the required format. The specific values can be different for the syslog priority. The host field must be an IPv4 address in order to spoof the source IP and retain the date/time header information. If the host field contains a hostname then the IP used as the event source is the source IP from the network packet header, therefore no spoofing occurs, but the event's date/time are preserved (i.e. not stripped out). If an IPv6 address or an IPv4 address mapped into IPv6 notation is used then the date/time is stripped from the message payload, due to being similar syntax to that matching logic used by the TCP collector in LogLogic LMI for detecting when another LMI appliance is forwarding syslog events, but spoofing will be successful as a result of LMI using the IP in the syslog header as the event source.

Refer to article 000040374 for more information needed when using custom scripts to send syslog events to LogLogic LMI.

This article explains the syslog header requirements when sending data to LogLogic LMI via TCP syslog.