[syslog-ng] patterndb skewing timestamps
Clements, Frank
fclements at corp.ptd.net
Thu Dec 1 15:01:33 CET 2011
I've been working a bit over the last few weeks with patterndb -
specifically correlating messages. I just noticed that when log
messages are correlated, patterndb is skewing the timestamps from the
first message (possibly others in between as well) by a few seconds.
While, this may not seem like a big problem it results in logs that do
not align property in history.
A little on the configuration.
I have two patterns to match on receiving the second I generate a new
message with the format:
logHost=${HOST} mapStart=${S_UNIXTIME}@2 mapStop=${S_UNIXTIME}
protocol=${PROGRAM} insideAddr=${.dict.insideAddr}@1
insidePort=${.dict.insidePort}@1 outsideAddr=${.dict.outsideAddr}@1
outsidePort=${.dict.outsidePort}@1 destAddr=${.dict.destAddr}@2
destPort=${.dict.destPort}@2
My original log lines are as follows:
Dec 1 08:39:41 AX2600 UC: e0a8636e:a16c->5f2c65b3:a16c to 8f2c77ca:a1
Dec 1 08:48:06 AX2600 UF: e0a8636e:a16c->5f2c65b3:a16c
The generated log line is:
logHost=RHOSTNAME mapStart=1322747067 mapStop=1322747286 protocol=U
insideAddr=e0a8636e insidePort=a16c outsideAddr=5f2c65b3
outsidePort=a16c destAddr=80a8650c destPort=3f
According to the docs S_ represents the log message time - so that means
mapStart should line up, but it does not: 1322747067 == Thu Dec 01 2011
08:44:27. The stop message does not suffer from this issue.
Anyone have a workaround for this? I tried using R_UNIXTIME at 2 instead,
but that is also skewed.
--
Frank Clements
More information about the syslog-ng
mailing list