<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000066">
<font color="#000000">If syslog-ng is letting you set ts_format on
the tcp destination driver (not throwing a syntax error), but isnt
using it, then I'd definitely think bug (though this is something
the balabit folks should confirm).<br>
An alternate method would be to use a template on the tcp
destination driver and explicitly build a format which uses the
ISO timestamp. For example:<br>
</font><font color="#000000"><tt><font color="#660000">template
t_tcp { </font></tt></font><tt><font color="#660000">template("<$BSDTAG>
$ISODATE $HOST $MSGHDR$MESSAGE\n") };<br>
</font><font color="#660000">destination d_tcp { tcp('1.2.3.4'
template(t_tcp))</font></tt><font color="#000000"><tt><font
color="#660000">; };</font></tt></font><font color="#000000"><br>
Note the lack of space between $MSGHDR and $MESSAGE, thats
deliberate.<br>
<br>
-Patrick<br>
<br>
<br>
<br>
Sent: Fri Apr 06 2012 04:40:07 GMT-0400 (EDT)<br>
From: Chris Hiestand <a class="moz-txt-link-rfc2396E" href="mailto:chiestand@salk.edu"><chiestand@salk.edu></a><br>
To: Patrick Hemmer <a class="moz-txt-link-rfc2396E" href="mailto:syslogng@stormcloud9.net"><syslogng@stormcloud9.net></a>, Syslog-ng
users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a> <br>
Subject: Re: [syslog-ng] ts_format(iso) bug or misunderstanding?</font>
<blockquote cite="mid:578126D3-BF74-415E-BAA7-F3D2DF0BDC69@salk.edu"
type="cite">
<div><font color="#000000">Thank you very much for your reply
Patrick, that was very helpful.</font></div>
<div><font color="#000000"><br>
</font></div>
<div><font color="#000000">I have downloaded syslog-ng v3.3
(Debian Wheezy) just to get the latest, and I'm still having a
problem.</font></div>
<div><font color="#000000"><br>
</font></div>
<div><font color="#000000">Based in your advice, I was able to
successfully get the iso ts_format if I use the syslog()
destination driver. However, if I use the tcp() destination
driver, I still cannot get iso ts_format. syslog-ng ignores my
parameter and sends old style timestamps.</font></div>
<div><font color="#000000"><br>
</font></div>
<div><font color="#000000">my driver:</font></div>
<blockquote type="cite">
<div>
<div><font color="#000000">destination My_Syslog { tcp("<a
moz-do-not-send="true"
href="http://syslog.server.salk.edu">syslog.server.salk.edu</a>"
port(514) ts_format(iso) ); };</font></div>
</div>
</blockquote>
<blockquote type="cite"><font color="#000000">log { source(s_src);
destination(My_Syslog); };</font></blockquote>
<div><font color="#000000"><br>
</font></div>
<div><font color="#000000"><br>
</font></div>
<font color="#000000">tcpdump:</font>
<div>
<blockquote type="cite"><font color="#000000">@.m..<hw<86>Apr
6 01:24:01 host CRON[1923]: pam_unix(cron:session): session
closed for user root</font></blockquote>
<div>
<div><font color="#000000"><br>
</font></div>
<div><font color="#000000">In fact, I have tried all
variations of ts_format (rfc3164, bsd, rfc3339, iso) and I
always get the same result.</font></div>
<div><font color="#000000"><br>
</font></div>
<div><font color="#000000">Eventually I will switch to the
syslog message protocol, so this is not a show-stopper.
But not getting something</font></div>
<div><font color="#000000">to work as advertised is still
troubling.</font></div>
<div><font color="#000000"><br>
</font></div>
<div><font color="#000000">Could I be missing something else?
Or might we be in bug/documentation bug territory?</font></div>
<div><font color="#000000"><br>
</font></div>
<div><font color="#000000">Thanks,</font></div>
<div><font color="#000000">Chris</font></div>
<div><font color="#000000"><br>
</font></div>
<div><font color="#000000"><br>
</font></div>
<font color="#000000"><br>
</font>
<div>
<div><font color="#000000">On Apr 5, 2012, at 7:10 PM,
Patrick Hemmer wrote:</font></div>
<font color="#000000"><br class="Apple-interchange-newline">
</font>
<blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000066"> <font
color="#000000">Somewhere in between bug and
misunderstanding. The bug would be in documentation,
but the behavior is deliberate.<br>
The reason is that when sending over the network to a
syslog server, the server expects the message in a
certain format. When you change the timestamp, that
format is now invalid and the remote end might not be
able to parse it.<br>
<br>
Now you could put `ts_format(iso)` in the `tcp()`
destination driver. But if your remote server is
looking for a timestamp in ISO format, it probably
supports the <a moz-do-not-send="true"
href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/concepts_message_ietfsyslog.html">syslog
message protocol</a>, which uses ISO timestamps.
Syslog-ng uses the <a moz-do-not-send="true"
href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_destination_syslog.html">syslog</a>
destination driver for sending in this format.<br>
<br>
The syslog message protocol looks like this:<br>
</font><font color="#000000"><tt><font color="#660000"><34>1
2003-10-11T22:14:15.003Z <a
moz-do-not-send="true"
href="http://mymachine.example.com">mymachine.example.com</a>
su - ID47 - BOM'su root' failed for lonvick on
/dev/pts/8</font></tt></font><font color="#000000"><br>
<br>
<br>
The forementioned bug in the documentation is that it
says the tcp() destination driver ts_format uses the
global ts_format setting. It doesnt.<br>
<br>
-Patrick<br>
</font></div>
</blockquote>
</div>
<font color="#000000"><br>
</font></div>
</div>
</blockquote>
</body>
</html>