[syslog-ng] Remove double timestamping

Balazs Scheidler bazsi at balabit.hu
Tue Jan 19 17:05:38 CET 2010 

On Tue, 2010-01-19 at 13:16 +0100, Marty Sørensen wrote:
> Hey Bazsi,
> 
> Thanks for the quick reply, great job/service.
> 
> Unforturnately it still doesnt work with the config i pasted:
> --
> Jan 19 13:13:45 <hostname> : Jan 19 13:13:44: %SYS-5-CONFIG_I:
> Configured from console by <username> on vty0 (<ip>)
> --

There's a colon in the date after the seconds part: 'Jan 19 13:13:44:',
is that really there as it is received from the Cisco box?

It resembles most to this format as supported by syslog-ng:

/* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */

However it seems to lack the year information.

The currently supported date formats can be found in logmsg.c,
log_msg_parse_date() function:

      /* RFC3339 timestamp, expected format: YYYY-MM-DDTHH:MM:SS[.frac]<+/->ZZ:ZZ */
      /* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */
      /* ASA timestamp, expected format: MMM DD YYYY HH:MM:SS */
      /* LinkSys timestamp, expected format: MMM DD HH:MM:SS YYYY */
      /* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */


You can enable year in the timestamp above with:

# service timestamps year

If I read this correctly:

http://www.cisco.mn/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g07.html#wp1029551

The timestamp above would be fine, if there was no colon at the end. But
there is, which causes syslog-ng to expect a year as well.

> 
> Martin
> 
> 2010/1/19 Balazs Scheidler <bazsi at balabit.hu>
>         On Tue, 2010-01-19 at 11:08 +0100, Marty Sørensen wrote:
>         > Hello ....
>         >
>         > New user to syslog-ng but still hoping someone can help me
>         with a
>         > small config example
>         >
>         > Im forwarding syslog from my syslog-ng but when it arrives
>         it has
>         > double timestamps/hostname:
>         > --
>         > Jan 19 11:02:58 cut-hostname 10.229.5.2 32176: Jan 19
>         11:02:57: %
>         > SFF8472-5-THRESHOLD_VIOLATION
>         > --
>         
>         
>         Your Cisco gear is including sequence number in the timestamp
>         which
>         syslog-ng doesn't recognize.
>         
>         That's the "32176: " prefix before the 2nd timestamp. If you
>         disable
>         that, it'll work.
>         
>         I'm planning to add support for this field in the future.
>         
>         
>         --
>         Bazsi
>         
>         ______________________________________________________________________________
>         Member info:
>         https://lists.balabit.hu/mailman/listinfo/syslog-ng
>         Documentation:
>         http://www.balabit.com/support/documentation/?product=syslog-ng
>         FAQ: http://www.campin.net/syslog-ng/faq.html
>         
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 


-- 
Bazsi

More information about the syslog-ng mailing list