Hello:<br><br>I have several sources that are all reporting to a syslog-ng 2.0.3 server<br>My source is <br><br>source all_routers { udp(ip(<a href="http://0.0.0.0">0.0.0.0</a>) port(514));<br>};<br><br>My problem is that I have one source that is isolated to a separate file
<br><br>I isolate the file with the following <br>filter f_pd_snort { host(intsnort1); };<br><br>and have this destination<br>destination d_pd_snort { file("/var/log/syslog-ng-logs/pd_snort.1" perm(0644) template(t_default)); };
<br><br>then i use the following command<br>log { source(all_routers); filter(f_pd_snort); destination(d_pd_snort); };<br><br>The problem is the format the data is arriving in. It send data in UTC time as follows<br>Apr 30 14:04:35 2007 intsnort1 SFIMS: [119:13:1] Snort Alert [Classification: Unknown] [Priority: 3]
<br>Apr 30 14:04:35 2007 intsnort1 SFIMS: [119:4:1] Snort Alert [Classification: Unknown] [Priority: 3] <br>Apr 30 14:04:35 2007 intsnort1 SFIMS: [122:3:0] Snort Alert [Classification: Unknown] [Priority: 3]<br><br>This is UTC. It is the time that is being sent in the actual packet (I verified with wireshark)
<br><br>I want syslog-ng to modify the times going into this file (and this file only) to reflect EST time.<br><br>Based upon the documentation The following algorithm is used.<br><br><ol type="1"><li>
<p>The sender can specify the timezone of the messages. If the incoming message
includes a timezone it is associated with the message. Otherwise, the local
timezone is assumed.</p>
</li><li>
<p>The administrator specifies the <a title="Table 3.1. Common options for source drivers" href="#sourcecommonopts"><em class="parameter"><code>time_zone()</code></em>
</a>parameter for the source driver that reads the message. This parameter
overrides the original timezone of the message. Each source defaults to the
value of the <a title="5. Options" href="#reference_options"><em class="parameter"><code>recv_time_zone()</code></em> </a>global option. </p>
</li><li>
<p>The destination driver specifies the timezone via the <a title="Table 3.5. Common options for destination drivers" href="#destcommonopts"><em class="parameter"><code>time_zone()</code></em>
</a>parameter. Each destination driver might have an associated timezone value
to which message timestamps are converted before they are sent to the final
destination (file or network socket). Each destination defaults to the value of
the <a title="5. Options" href="#reference_options"><em class="parameter"><code>send_time_zone()</code></em> </a>global option. A message
can be sent to multiple destination zones.</p>
</li><li>
<p>When macro expansions are used in the destination filenames, the local
timezone is used</p></li></ol><br>So option #1 is not being done<br>I can't use #2 because my source is defined for all devices<br>I tried using #3..... with the line modified as <br>destination d_pd_snort { file("/var/log/syslog-ng-logs/pd_snort.1" perm(0644)
<span style="font-weight: bold;">time_zone(-04:00)</span> template(t_default)); };<br><br>However.. this does not seem to make any difference... Can you please tell me why option #3 is not working ....<br>and also... why is it that in #1 it is not defauling to just adding the local timezone since the incoming message does not have a timezone specified.
<br><br>Please help and thank you :)<br><br><br><br><br><br><br><br><br><br>