Hey,<br><br>Thanks for the reply and the explaination.<br>It not all IOS's/Cisco box's that support enabling of year in log e.g. Catalyst ME3400/4500<br><br>I can see that the log i now is getting like this, after i got some of my config to work:<br>
--<br>Message from syslogd@<syslog-ng sender> at Wed Jan 20 10:21:02 2010 ...<br><syslog-ng sender> Jan 20 10:21:01: %SYS-5-CONFIG_I: Configured from console by <user> on vty0 (<ip>)> <br>--<br>
<br>Martin<br><br><div class="gmail_quote">2010/1/19 Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On Tue, 2010-01-19 at 13:16 +0100, Marty Sørensen wrote:<br>
> Hey Bazsi,<br>
><br>
> Thanks for the quick reply, great job/service.<br>
><br>
> Unforturnately it still doesnt work with the config i pasted:<br>
> --<br>
> Jan 19 13:13:45 <hostname> : Jan 19 13:13:44: %SYS-5-CONFIG_I:<br>
> Configured from console by <username> on vty0 (<ip>)<br>
> --<br>
<br>
</div>There's a colon in the date after the seconds part: 'Jan 19 13:13:44:',<br>
is that really there as it is received from the Cisco box?<br>
<br>
It resembles most to this format as supported by syslog-ng:<br>
<br>
/* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */<br>
<br>
However it seems to lack the year information.<br>
<br>
The currently supported date formats can be found in logmsg.c,<br>
log_msg_parse_date() function:<br>
<br>
/* RFC3339 timestamp, expected format: YYYY-MM-DDTHH:MM:SS[.frac]<+/->ZZ:ZZ */<br>
/* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */<br>
/* ASA timestamp, expected format: MMM DD YYYY HH:MM:SS */<br>
/* LinkSys timestamp, expected format: MMM DD HH:MM:SS YYYY */<br>
/* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */<br>
<br>
<br>
You can enable year in the timestamp above with:<br>
<br>
# service timestamps year<br>
<br>
If I read this correctly:<br>
<br>
<a href="http://www.cisco.mn/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g07.html#wp1029551" target="_blank">http://www.cisco.mn/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g07.html#wp1029551</a><br>
<br>
The timestamp above would be fine, if there was no colon at the end. But<br>
there is, which causes syslog-ng to expect a year as well.<br>
<div><div></div><div class="h5"><br>
><br>
> Martin<br>
><br>
> 2010/1/19 Balazs Scheidler <<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>><br>
> On Tue, 2010-01-19 at 11:08 +0100, Marty Sørensen wrote:<br>
> > Hello ....<br>
> ><br>
> > New user to syslog-ng but still hoping someone can help me<br>
> with a<br>
> > small config example<br>
> ><br>
> > Im forwarding syslog from my syslog-ng but when it arrives<br>
> it has<br>
> > double timestamps/hostname:<br>
> > --<br>
> > Jan 19 11:02:58 cut-hostname 10.229.5.2 32176: Jan 19<br>
> 11:02:57: %<br>
> > SFF8472-5-THRESHOLD_VIOLATION<br>
> > --<br>
><br>
><br>
> Your Cisco gear is including sequence number in the timestamp<br>
> which<br>
> syslog-ng doesn't recognize.<br>
><br>
> That's the "32176: " prefix before the 2nd timestamp. If you<br>
> disable<br>
> that, it'll work.<br>
><br>
> I'm planning to add support for this field in the future.<br>
><br>
><br>
> --<br>
> Bazsi<br>
><br>
> ______________________________________________________________________________<br>
> Member info:<br>
> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
><br>
<br>
<br>
</div></div>--<br>
<div><div></div><div class="h5">Bazsi<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div></div></blockquote></div><br>