<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Thank you very much for your reply Patrick, that was very helpful.</div><div><br></div><div>I have downloaded syslog-ng v3.3 (Debian Wheezy) just to get the latest, and I'm still having a problem.</div><div><br></div><div>Based in your advice, I was able to successfully get the iso ts_format if I use the syslog() destination driver. However, if I use the tcp() destination driver, I still cannot get iso ts_format. syslog-ng ignores my parameter and sends old style timestamps.</div><div><br></div><div>my driver:</div><div><div></div></div><blockquote type="cite"><div><div>destination My_Syslog { tcp("<a href="http://syslog.server.salk.edu">syslog.server.salk.edu</a>" port(514) ts_format(iso) ); };</div></div></blockquote><blockquote type="cite">log { source(s_src); destination(My_Syslog); };</blockquote><div><br></div><div><br></div>tcpdump:<div><blockquote type="cite">@.m..<hw<86>Apr 6 01:24:01 host CRON[1923]: pam_unix(cron:session): session closed for user root</blockquote><div><div><br></div><div>In fact, I have tried all variations of ts_format (rfc3164, bsd, rfc3339, iso) and I always get the same result.</div><div><br></div><div>Eventually I will switch to the syslog message protocol, so this is not a show-stopper. But not getting something</div><div>to work as advertised is still troubling.</div><div><br></div><div>Could I be missing something else? Or might we be in bug/documentation bug territory?</div><div><br></div><div>Thanks,</div><div>Chris</div><div><br></div><div><br></div><br><div><div>On Apr 5, 2012, at 7:10 PM, Patrick Hemmer wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000066">
<font color="#000000">Somewhere in between bug and misunderstanding.
The bug would be in documentation, but the behavior is deliberate.<br>
The reason is that when sending over the network to a syslog
server, the server expects the message in a certain format. When
you change the timestamp, that format is now invalid and the
remote end might not be able to parse it.<br>
<br>
Now you could put `ts_format(iso)` in the `tcp()` destination
driver. But if your remote server is looking for a timestamp in
ISO format, it probably supports the <a href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/concepts_message_ietfsyslog.html">syslog
message protocol</a>, which uses ISO timestamps. Syslog-ng uses
the <a href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_destination_syslog.html">syslog</a>
destination driver for sending in this format.<br>
<br>
The syslog message protocol looks like this:<br>
</font><font color="#000000"><tt><font color="#660000"><34>1
2003-10-11T22:14:15.003Z <a href="http://mymachine.example.com">mymachine.example.com</a> su - ID47 -
BOM'su root' failed for lonvick on /dev/pts/8</font></tt></font><font color="#000000"><br>
<br>
<br>
The forementioned bug in the documentation is that it says the
tcp() destination driver ts_format uses the global ts_format
setting. It doesnt.<br>
<br>
-Patrick<br></font></div></blockquote></div><br></div></div></body></html>