[syslog-ng] Remove double timestamping
Marty Sørensen
buzzwork at gmail.com
Wed Jan 20 10:27:26 CET 2010
Hey,
Thanks for the reply and the explaination.
It not all IOS's/Cisco box's that support enabling of year in log e.g.
Catalyst ME3400/4500
I can see that the log i now is getting like this, after i got some of my
config to work:
--
Message from syslogd@<syslog-ng sender> at Wed Jan 20 10:21:02 2010 ...
<syslog-ng sender> Jan 20 10:21:01: %SYS-5-CONFIG_I: Configured from console
by <user> on vty0 (<ip>)>
--
Martin
2010/1/19 Balazs Scheidler <bazsi at balabit.hu>
> On Tue, 2010-01-19 at 13:16 +0100, Marty Sørensen wrote:
> > Hey Bazsi,
> >
> > Thanks for the quick reply, great job/service.
> >
> > Unforturnately it still doesnt work with the config i pasted:
> > --
> > Jan 19 13:13:45 <hostname> : Jan 19 13:13:44: %SYS-5-CONFIG_I:
> > Configured from console by <username> on vty0 (<ip>)
> > --
>
> There's a colon in the date after the seconds part: 'Jan 19 13:13:44:',
> is that really there as it is received from the Cisco box?
>
> It resembles most to this format as supported by syslog-ng:
>
> /* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */
>
> However it seems to lack the year information.
>
> The currently supported date formats can be found in logmsg.c,
> log_msg_parse_date() function:
>
> /* RFC3339 timestamp, expected format:
> YYYY-MM-DDTHH:MM:SS[.frac]<+/->ZZ:ZZ */
> /* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */
> /* ASA timestamp, expected format: MMM DD YYYY HH:MM:SS */
> /* LinkSys timestamp, expected format: MMM DD HH:MM:SS YYYY */
> /* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */
>
>
> You can enable year in the timestamp above with:
>
> # service timestamps year
>
> If I read this correctly:
>
>
> http://www.cisco.mn/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g07.html#wp1029551
>
> The timestamp above would be fine, if there was no colon at the end. But
> there is, which causes syslog-ng to expect a year as well.
>
> >
> > Martin
> >
> > 2010/1/19 Balazs Scheidler <bazsi at balabit.hu>
> > On Tue, 2010-01-19 at 11:08 +0100, Marty Sørensen wrote:
> > > Hello ....
> > >
> > > New user to syslog-ng but still hoping someone can help me
> > with a
> > > small config example
> > >
> > > Im forwarding syslog from my syslog-ng but when it arrives
> > it has
> > > double timestamps/hostname:
> > > --
> > > Jan 19 11:02:58 cut-hostname 10.229.5.2 32176: Jan 19
> > 11:02:57: %
> > > SFF8472-5-THRESHOLD_VIOLATION
> > > --
> >
> >
> > Your Cisco gear is including sequence number in the timestamp
> > which
> > syslog-ng doesn't recognize.
> >
> > That's the "32176: " prefix before the 2nd timestamp. If you
> > disable
> > that, it'll work.
> >
> > I'm planning to add support for this field in the future.
> >
> >
> > --
> > Bazsi
> >
> >
> ______________________________________________________________________________
> > Member info:
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
>
>
> --
> Bazsi
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100120/c2967374/attachment-0001.htm
More information about the syslog-ng
mailing list