Logging via UNIX domains sockets is not quite conformant

[indyjo]

The messages sent to /dev/log via UNIX domain sockets by winston-syslog are formatted according to RFC 3164 by default. However, Syslog daemons listening on /dev/log apparently expect a slightly different format. In the expected format, the HOSTNAME field (specified by RFC 3164 to immediately follow the TIMESTAMP) does not occur.

When using winston-syslog to log to systemd's journald on /dev/log, this results in the log message not being parsed correctly. Specifically, the property SYSLOG_IDENTIFIER is not extracted correctly which makes filtering harder.

As a workaround, I recommend setting the localhost option to an empty string:

new winston.transports.Syslog({
  protocol: "unix",
  path: "/dev/log",
  facility: "local0",
  localhost: "", 
  app_name: "my-app",
  level: requestedLevel,
  format: syslogFormat
})

I couldn't find this behavior of /dev/log specified anywhere, but source code of journald, glibc and musl all point into the same direction, and there is this discussion:

Oh, P.S.: /dev/log isn't RFC3164, it's RFC3164 without the hostname field (and without a trailing \n) - sending RFC3164 doesn't work 😄
Originally posted by @eqvinox in systemd/systemd#19251 (comment)

Ideally, winston-syslog would automatically configure a different message format (modified BSD/RFC 3164) when protocol "unix" is selected.