<p dir="ltr"><br>
On Apr 15, 2014 8:33 PM, "David Hauck" <<a href="mailto:davidh@netacquire.com">davidh@netacquire.com</a>> wrote:<br>
><br>
> On Tuesday, April 15, 2014 11:10 AM, <a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> wrote:<br>
> > If you are using the S_* macros then you will get the time stamp that<br>
> > the application places into the log line.<br>
> > That is usually a time stamp with no subsecond data.<br>
><br>
> I'm curious about why this is? You mention this "usually" contains no sub-second granularity: under what conditions is this not true (i.e., when would this actually contain sub-second granularity)?</p>
<p dir="ltr">The syslog() API doesn't send such timestamps. So unless the app has a custom log implementation, no such information becomes available.<br>
><br>
> > If you use the R_* macros for your date/time then you should get the<br>
> > subsecond resolution.<br>
><br>
> Thanks, I'm using ISODATE in my custom template (just like the default template). Looking closely I see that I can use the S_ and R_ variants with this macro. Changing my template to use "R_ISODATE" does indeed fix this.<br>
><br>
> Thanks again for the quick tip!<br>
><br>
> > On 04/15/2014 10:31 AM, David Hauck wrote:<br>
> >> Hello,<br>
> >><br>
> >> I'm using the following global options in order to format messages with<br>
> >> millisecond resolution:<br>
> >><br>
> >> ts_format(iso);<br>
> >> frac_digits(3);<br>
> >> Although the initial (syslog-ng starting) message appears to include<br>
> >> sub- second resolution subsequent messages do not:<br>
> >><br>
> >> 20140415 10:19:23.590 notice syslog(syslog-ng):syslog-ng starting up;<br>
> >> version='3.5.4.1' ... 20140415 10:19:33.000 notice authpriv(su):FAILED<br>
> >> su for test by root ... 20140415 10:20:11.000 notice user(root):test<br>
> >><br>
> >> This includes messages originating from any number of sources<br>
> >> (including<br>
> > all processes that log via syslog()), *except* messages originating<br>
> > from the kernel (these always seem to have sub-second resolution).<br>
> > Does anyone have any ideas what might be going on here?<br>
> >><br>
> >> Thanks,<br>
> >> -David<br>
> >><br>
> >> PS: the timestamp formatting above is done via a simple template.<br>
> > Regardless of this (re-)formatting nominal iso messages also exhibit<br>
> > this limitation. For e.g.,:<br>
> >><br>
> >> 2014-04-14T15:23:48.000-07:00 host99738728 nasysconfd: exit code 0<br>
> >> for /netacquire/bin/sysconf/osinfo read<br>
> >><br>
> >><br>
> >><br>
> > __________________________________________________________<br>
> > ____________<br>
> >> ________ Member info:<br>
> >> <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> >> Documentation:<br>
> >> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> >> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
> >><br>
> ><br>
> ><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
</p>