<div dir="ltr">Yes that was the exact problem, thanks for that!. Using no-parse and also the date-parser I have been able to get this working perfectly. <div>I now have ISODATE matching to the same timestamp in the message from the firewall.</div><div><br></div><div>Thanks for the help.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jun 18, 2017 at 5:43 PM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Your firewall probably does not use rfc3164 properly and albeit syslog-ng does have a few heuristics to deal with differences, your fw may just get parsed incorrectly.<div dir="auto"><br></div><div dir="auto">You might want to disable parsing using flags(no-parse) and then deal with it accordingly.</div><div dir="auto"><br></div><div dir="auto">No-parse will put the entire message with headers to $MSG, which then can be broken down by various syslog-ng parsers, like the date-parser or regexp based ones.</div><div dir="auto"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Jun 18, 2017 02:40, "Andrew" <<a href="mailto:toranagtrx@gmail.com" target="_blank">toranagtrx@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I looked into it further and the firewall is sending the year in the message, I thought that it wasn't but it was getting chopped off in the json output.<div>I rectified it by using ${MSGHDR}${MSG} in my template which now gives me the full timestamp in the message which is mainly what I needed. </div><div><br></div><div>I will look into the date-parser thanks for the info. </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jun 18, 2017 at 7:14 AM, Fabien Wernli <span dir="ltr"><<a href="mailto:wernli@in2p3.fr" target="_blank">wernli@in2p3.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Andrew,<br>
<br>
If you have a recent enough syslog-ng version, you can use the date-parser<br>
to parse your date. Otherwise, I guess you could use the current year $YEAR<br>
and add it to the message using a rewrite rule.<br>
<br>
Cheers<br>
<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
</blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>