<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body>

<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>

<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">

<p></p>

<div><span style="font-size: 12pt;">I don't know what type of advice better for me I need some more time.</span><br>

</div>

<div><br>

</div>

<div>Thanks for your kindness guys! </div>

<div><br>

</div>

<p></p>

<p><br>

</p>

<p><br>

</p>

<div id="Signature">

<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;">

<p></p>

<div style="color:rgb(33,33,33); font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont; font-size:15px; margin:0px">

<font size="2" style="font-family:Calibri,sans-serif,serif,EmojiFont"><span style="font-size:11pt"><font size="2" color="#2E74B5" style="font-family:Arial,sans-serif,serif,EmojiFont"><span style="font-size:10pt"><span style="font-size:10pt">best regards</span><span style="font-size:10pt">,</span></span></font></span></font></div>

<span style="font-size:10pt"></span>

<div style="color:rgb(33,33,33); font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont; font-size:15px; margin:0px">

<font size="2" style="font-family:Calibri,sans-serif,serif,EmojiFont"><span style="font-size:11pt"><font size="2" color="#0073AF" style="font-family:Arial,sans-serif,serif,EmojiFont"><span lang="en-US" style="font-size:10pt"><b>Nepryahin Ivan</b></span></font></span></font></div>

<div style="color:rgb(33,33,33); font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont; font-size:15px; margin:0px">

<font size="2" style="font-family:Calibri,sans-serif,serif,EmojiFont"><span style="font-size:11pt"><font size="1" color="#2E74B5" style="font-family:Arial,sans-serif,serif,EmojiFont"><span lang="en-US" style="font-size:10pt">IT Department</span></font></span></font></div>

<span style="font-size:10pt"></span><span style="font-size:9pt"></span><span style="font-size:10pt"></span>

<div style="color:rgb(33,33,33); font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont; font-size:15px; margin:0px">

<font size="2" style="font-family:Calibri,sans-serif,serif,EmojiFont"><span style="font-size:11pt"><font size="1" color="#0073AF" style="font-family:Arial,sans-serif,serif,EmojiFont"><span lang="en-US" style="font-size:8pt"><b>Phone</b></span></font><font size="1" color="#0073AF" style="font-family:"Cambria Math",serif,serif,EmojiFont"><span lang="en-US" style="font-size:8pt"><b>: </b></span></font><font size="1" color="#0073AF" style="font-family:Arial,sans-serif,serif,EmojiFont"><span lang="en-US" style="font-size:8pt">+7

 812 327 32 33</span></font></span></font></div>

<div style="color:rgb(33,33,33); font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont; font-size:15px; margin:0px">

<font size="2" style="font-family:Calibri,sans-serif,serif,EmojiFont"><span style="font-size:11pt"><font size="1" color="#0073AF" style="font-family:Arial,sans-serif,serif,EmojiFont"><span lang="en-US" style="font-size:8pt"><b>Mobile: </b></span></font><font size="1" color="#0073AF" style="font-family:Arial,sans-serif,serif,EmojiFont"><span lang="en-US" style="font-size:8pt">+7 </span></font><font size="1" color="#2E74B5" style="font-family:Arial,sans-serif,serif,EmojiFont"><span lang="en-US" style="font-size:8pt">911

 291 81 68</span></font><font size="1" color="#0073AF" style="font-family:Arial,sans-serif,serif,EmojiFont"><span lang="en-US" style="font-size:8pt"></span></font></span></font></div>

<br>

<p></p>

</div>

</div>

</div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of SZIGETVÁRI János <jszigetvari@gmail.com><br>

<b>Sent:</b> Friday, March 26, 2021 4:01:26 PM<br>

<b>To:</b> Syslog-ng users' and developers' mailing list<br>

<b>Subject:</b> Re: [syslog-ng] syslog-ng has add extra field</font>

<div> </div>

</div>

<div>

<div dir="ltr">

<div>Hi Ivan,</div>

<div><br>

</div>

<div>Sorry for the slight delay, but your emails ended up in my spam folder for some reason.</div>

<div>I see Bazsi already answered to your last email, and I can confirm what he said.</div>

<div><br>

</div>

<div>The logs are sent over UDP/514, and seem to follow the legacy/BSD-style log format, but the timestamp seems to be off.</div>

<div>You see, syslog-ng would expect something like this:</div>

<div><br>

</div>

<div>

<pre class="gmail-newpage"><34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8</pre>

</div>

<div>

<div>

<div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div>While it gets something like this:</div>

<div>

<pre class="gmail-newpage"><189>Mar 26 2021 11:11:44+03:00 HUAWEI-CORE-IMAQLIQ-1 ...</pre>

</div>

<div>This is different from the expected format in two aspects:</div>

<div>- it includes the four digit year, which RFC3164 doesn't contain</div>

<div>- it includes the timezone offset, like you mentioned</div>

<div><br>

</div>

<div>I don't really know, and haven't used any Huawei switches, so I don't know how flexible they are from logging perspective, and what options they offer.</div>

<div>These two fields are normally included as part of the IETF-syslog/RFC5424 format, but that log format looks slightly different, and the year is the first part of the timestamp:</div>

<div><br>

</div>

<div><span style="font-family:monospace"><34>1 2003-10-11T22:14:15.003Z <a href="http://mymachine.example.com">

mymachine.example.com</a> su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8</span></div>

<div><br>

</div>

<div>Again I don't know whether Huawei devices allow you to select which format to use, but this second format seems to be closer to what you want.</div>

<div>Either way, if the switch doesn't allow you to choose between these two formats, you would be best off with the flags(no-parse) option, like Bazsi mentioned.</div>

<div>In that case I would recommend you to use the config below, if you just want to store the messages from the Huawei switch in their original format:</div>

<div><br>

</div>

<div>

<div><span style="font-family:monospace">@version: 3.18</span></div>

<div><span style="font-family:monospace">@include "scl.conf"</span></div>

<div><span style="font-family:monospace"><br>

</span></div>

<div><span style="font-family:monospace">source s_local {</span></div>

<div><span style="font-family:monospace">        internal();</span></div>

<div><span style="font-family:monospace">};</span></div>

<div><span style="font-family:monospace"><br>

</span></div>

<div>

<div><span style="font-family:monospace">source s_huawei-udp514-no-parse {</span></div>

<div><span style="font-family:monospace">        network(</span></div>

<div><span style="font-family:monospace">                transport(udp)</span></div>

<div><span style="font-family:monospace">                port(514)</span></div>

<div><span style="font-family:monospace">                flags(no-parse)<br>

</span></div>

<div><span style="font-family:monospace">        );</span></div>

<div><span style="font-family:monospace">};</span></div>

<span style="font-family:monospace"></span></div>

<div><span style="font-family:monospace"><br>

</span></div>

<div><span style="font-family:monospace">source s_network {</span></div>

<div><span style="font-family:monospace">        network(</span></div>

<div><span style="font-family:monospace">                transport(tcp)</span></div>

<div><span style="font-family:monospace">                port(514)</span></div>

<div><span style="font-family:monospace">        );</span></div>

<div><span style="font-family:monospace">        syslog(</span>

<div><span style="font-family:monospace"></span></div>

<div><span style="font-family:monospace">                transport(tcp)</span></div>

<div><span style="font-family:monospace">                port(601)</span></div>

<div><span style="font-family:monospace">        );</span></div>

</div>

<div><span style="font-family:monospace">};</span></div>

<div><span style="font-family:monospace"><br>

</span></div>

<div>

<div><span style="font-family:monospace">destination d_huawei-logs {</span></div>

<div><span style="font-family:monospace">        file("/var/log/messages-huawei_${</span><span style="font-family:monospace">YEAR}-${MONTH}-${DAY}.log" template("${MSG}\n"));</span></div>

<div><span style="font-family:monospace">        file("/var/log/messages-huawei_${</span><span style="font-family:monospace">HOST}.log" perm(0644));</span></div>

<div><span style="font-family:monospace">};</span></div>

<span style="font-family:monospace"></span></div>

<div><span style="font-family:monospace"><br>

</span></div>

<div><span style="font-family:monospace">destination d_local {</span></div>

<div><span style="font-family:monospace">#       file("/var/log/messages");</span></div>

<div><span style="font-family:monospace">        file("/var/log/messages-kv_${</span><span style="font-family:monospace">YEAR}-${MONTH}-${DAY}.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));</span></div>

<div><span style="font-family:monospace">        file("/var/log/messages_${</span><span style="font-family:monospace">HOST}.log"</span></div>

<div><span style="font-family:monospace">        perm(0644)</span></div>

<div><span style="font-family:monospace">        );</span></div>

<div><span style="font-family:monospace">};</span></div>

<div><span style="font-family:monospace"><br>

</span></div>

<div><span style="font-family:monospace">destination d_logstore {</span></div>

<div><span style="font-family:monospace">        file(</span></div>

<div><span style="font-family:monospace">           "/var/log/remote/${HOST}/${</span><span style="font-family:monospace">HOST}_${YEAR}-${MONTH}-${DAY}.</span><span style="font-family:monospace">log"</span></div>

<div><span style="font-family:monospace">        create-dirs(yes)</span></div>

<div><span style="font-family:monospace">    );</span></div>

<div><span style="font-family:monospace">};</span></div>

<div><span style="font-family:monospace"><br>

</span></div>

<div><span style="font-family:monospace">log {</span></div>

<div><span style="font-family:monospace">        source(s_local);</span></div>

<div><span style="font-family:monospace">        source(s_network);</span></div>

<div><span style="font-family:monospace">        destination(d_local);</span></div>

<div><span style="font-family:monospace">        destination(d_logstore);</span></div>

<div><span style="font-family:monospace">};<br>

</span></div>

</div>

<div dir="ltr"><br>

</div>

<div dir="ltr">

<div><span style="font-family:monospace">log {</span></div>

<div><span style="font-family:monospace">        source(s_huawei-udp514-no-parse);</span></div>

<div><span style="font-family:monospace">        destination(d_huawei-logs);</span></div>

<div><span style="font-family:monospace">        destination(d_logstore);</span></div>

<div><span style="font-family:monospace">};</span></div>

</div>

<div dir="ltr"><br>

</div>

<div>The only downside of my approach is that you won't be able to save the logs in key-value format, due to the parsing being turned off.</div>

<div>If that was your main goal, then you are better off with Bazsi's recommendation of writing your own application adapter, but that's a bit more difficult than simply saving the messages in their original format.</div>

<div><br>

</div>

<div>I hope I was able to help.</div>

<div><br>

</div>

<div>Best Regards,</div>

<div>János Szigetvári<br>

</div>

<br>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<br>

</div>

</div>

<br>

<div class="gmail_quote">

<div dir="ltr" class="gmail_attr">Ivan Nepryahin - Bercut <<a href="mailto:Ivan.Nepryahin@bercut.com">Ivan.Nepryahin@bercut.com</a>> ezt írta (időpont: 2021. márc. 26., P, 9:42):<br>

</div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<div>

<div id="gmail-m_-6619897043450351993divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr">

<p>I've made pcap file and did send to you.</p>

<p><br>

</p>

<p>Piece of output (for history)</p>

<p><br>

</p>

<p></p>

<div>####### with +03:00</div>

<div><span style="font-size:12pt">11:11:45.057726 IP (tos 0x0, ttl 239, id 17, offset 0, flags [none], proto UDP (17), length 297)</span><br>

</div>

<div>    192.168.102.1.38514 > 172.18.0.2.syslog: SYSLOG, length: 269</div>

<div>        Facility local7 (23), Severity notice (5)</div>

<div>        Msg: Mar 26 2021 11:11:44+03:00 HUAWEI-CORE-IMAQLIQ-1 %%01CLI/5/CMDRECORD(s):CID=0x80ca2713;Recorded command information. (Task=VTY0, RemoteIp=192.168.55.41, VpnName=_public_, User=nepryahin, AuthenticationMethod="Tacacs", Command="system-view",

 LocalIp=192.168.102.1.)</div>

<div><br>

</div>

<div><br>

</div>

<div>####### without +03:00</div>

<div><span style="font-size:12pt">11:23:37.882898 IP (tos 0x0, ttl 239, id 50, offset 0, flags [none], proto UDP (17), length 284)</span><br>

</div>

<div>    192.168.102.1.38514 > 172.18.0.2.syslog: SYSLOG, length: 256</div>

<div>        Facility local7 (23), Severity notice (5)</div>

<div>        Msg: Mar 26 2021 08:23:37 HUAWEI-CORE-IMAQLIQ-1 %%01CLI/5/CMDRECORD(s):CID=0x80ca2713;Recorded command information. (Task=VTY0, RemoteIp=192.168.55.41, VpnName=_public_, User=nepryahin, AuthenticationMethod="Tacacs", Command="quit", LocalIp=192.168.102.1.)</div>

<div><br>

</div>

<br>

<p></p>

<p><br>

</p>

<p></p>

<div>Thank you for you kindness!</div>

<div><br>

</div>

<div><br>

</div>

<div id="gmail-m_-6619897043450351993Signature">

<div id="gmail-m_-6619897043450351993divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">

<p></p>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="2" color="#2E74B5"><span style="font-size:10pt"><span style="font-size:10pt">best regards</span><span style="font-size:10pt">,</span></span></font></span></font></div>

<span style="font-size:10pt"></span>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="2" color="#0073AF"><span style="font-size:10pt" lang="en-US"><b>Nepryahin Ivan</b></span></font></span></font></div>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#2E74B5"><span style="font-size:10pt" lang="en-US">IT Department</span></font></span></font></div>

<span style="font-size:10pt"></span><span style="font-size:9pt"></span><span style="font-size:10pt"></span>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"><b>Phone</b></span></font><font style="font-family:"Cambria Math",serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"><b>: </b></span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US">+7

 812 327 32 33</span></font></span></font></div>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"><b>Mobile: </b></span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US">+7 </span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#2E74B5"><span style="font-size:8pt" lang="en-US">911

 291 81 68</span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"></span></font></span></font></div>

<br>

<p></p>

</div>

</div>

</div>

<hr style="display:inline-block;width:98%">

<div id="gmail-m_-6619897043450351993divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>>

 on behalf of SZIGETVÁRI János <<a href="mailto:jszigetvari@gmail.com" target="_blank">jszigetvari@gmail.com</a>><br>

<b>Sent:</b> Thursday, March 25, 2021 8:55:36 PM<br>

<b>To:</b> Syslog-ng users' and developers' mailing list<br>

<b>Subject:</b> Re: [syslog-ng] syslog-ng has add extra field</font>

<div> </div>

</div>

<div>

<div dir="ltr">

<div>Hi Ivan,</div>

<div><br>

</div>

<div>Okay, I see what you mean.</div>

<div>The thing is that the default-network-drivers() source in your config is automatically and seamlessly expanded to a series of syslog() and network() sources definitions.</div>

<div>The syslog(...) and network(...) statements I mentioned eariler were source definitions as well.</div>

<div><br>

</div>

<div>In order to get a more thorough look at your use-case, I would kindly request you to send (either to me privately, or to this mailing list) a packet dump of the Huawei device's logs so that I can identify which port the traffic is destined to (and through

 which protocol), and what the actual format of the logs is.</div>

<div><br>

</div>

<div>You can either do this by</div>

<div>* running tcpdump ( tcpdump -peni any -v -w /tmp/syslog.pcap "port 514 or port 601" ), or</div>

<div>* by downloading (if the script wasn't already deployed along your syslog-ng installation) and running

<a href="https://raw.githubusercontent.com/syslog-ng/syslog-ng/master/contrib/syslog-ng-debun" target="_blank">

syslog-ng-debun</a> ( syslog-ng-debun -r -p -t 300 ) (this will run the information gathering script for 5 minutes, and it will try to do the packet capture for you)</div>

<div><br>

</div>

<div>Thanks!</div>

<div><br>

</div>

<div>Best Regards,</div>

<div>János Szigetvári<br>

</div>

</div>

<br>

<div class="gmail_quote">

<div dir="ltr" class="gmail_attr">Ivan Nepryahin - Bercut <<a href="mailto:Ivan.Nepryahin@bercut.com" target="_blank">Ivan.Nepryahin@bercut.com</a>> ezt írta (időpont: 2021. márc. 25., Cs, 16:38):<br>

</div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<div>

<div id="gmail-m_-6619897043450351993gmail-m_606940339469346016divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr">

<p>Thanks for your reply, <span>János !</span></p>

<p><span><br>

</span></p>

<p><span>If you can explain me please what does that mean?</span></p>

<p><span><br>

</span></p>

<p><span></span></p>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px">

</div>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px">

>network(transport(tcp|udp))</div>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px">

>or</div>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px">

>syslog() or network(transport(tcp|udp) flags(syslog-protocol))</div>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px">

</div>

<br>

<p></p>

<p><span><br>

</span></p>

<p><br>

</p>

<p><span><br>

</span></p>

<p><span>======================================================================</span></p>

<p><span><br>

</span></p>

<p><span>my config:</span></p>

<p><span><br>

</span></p>

<p><span><span style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px"></span></span></p>

<div><br>

</div>

<div>@version: 3.18</div>

<div>@include "scl.conf"</div>

<div><br>

</div>

<div>source s_local {</div>

<div>        internal();</div>

<div>};</div>

<div><br>

</div>

<div>source s_network {</div>

<div>        default-network-drivers(</div>

<div>                # NOTE: TLS support</div>

<div>                #</div>

<div>                # the default-network-drivers() source driver opens the TLS</div>

<div>                # enabled ports as well, however without an actual key/cert</div>

<div>                # pair they will not operate and syslog-ng would display a</div>

<div>                # warning at startup.</div>

<div>                #</div>

<div>                #tls(key-file("/path/to/ssl-private-key") cert-file("/path/to/ssl-cert"))</div>

<div>        );</div>

<div>};</div>

<div><br>

</div>

<div>destination d_local {</div>

<div>#       file("/var/log/messages");</div>

<div>        file("/var/log/messages-kv_${YEAR}-${MONTH}-${DAY}.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));</div>

<div>        file("/var/log/messages_${HOST}.log"</div>

<div>        perm(0644)</div>

<div>        );</div>

<div>};</div>

<div><br>

</div>

<div>destination d_logstore {</div>

<div>        file(</div>

<div>           "/var/log/remote/${HOST}/${HOST}_${YEAR}-${MONTH}-${DAY}.log"</div>

<div>        create-dirs(yes)</div>

<div>    );</div>

<div>};</div>

<div><br>

</div>

<div>log {</div>

<div>        source(s_local);</div>

<div>        source(s_network);</div>

<div>        destination(d_local);</div>

<div>        destination(d_logstore);</div>

<div>#       destination(d_sorted);</div>

<div>};</div>

<div><br>

</div>

<br>

<p></p>

<p><br>

</p>

<div id="gmail-m_-6619897043450351993gmail-m_606940339469346016Signature">

<div id="gmail-m_-6619897043450351993gmail-m_606940339469346016divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">

<p></p>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="2" color="#2E74B5"><span style="font-size:10pt"><span style="font-size:10pt">best regards</span><span style="font-size:10pt">,</span></span></font></span></font></div>

<span style="font-size:10pt"></span>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="2" color="#0073AF"><span style="font-size:10pt" lang="en-US"><b>Nepryahin Ivan</b></span></font></span></font></div>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#2E74B5"><span style="font-size:10pt" lang="en-US">IT Department</span></font></span></font></div>

<span style="font-size:10pt"></span><span style="font-size:9pt"></span><span style="font-size:10pt"></span>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"><b>Phone</b></span></font><font style="font-family:"Cambria Math",serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"><b>: </b></span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US">+7

 812 327 32 33</span></font></span></font></div>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"><b>Mobile: </b></span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US">+7 </span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#2E74B5"><span style="font-size:8pt" lang="en-US">911

 291 81 68</span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"></span></font></span></font></div>

<br>

<p></p>

</div>

</div>

</div>

<hr style="display:inline-block;width:98%">

<div id="gmail-m_-6619897043450351993gmail-m_606940339469346016divRplyFwdMsg" dir="ltr">

<font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>> on behalf of SZIGETVÁRI János <<a href="mailto:jszigetvari@gmail.com" target="_blank">jszigetvari@gmail.com</a>><br>

<b>Sent:</b> Thursday, March 25, 2021 6:24:09 PM<br>

<b>To:</b> Syslog-ng users' and developers' mailing list<br>

<b>Subject:</b> Re: [syslog-ng] syslog-ng has add extra field</font>

<div> </div>

</div>

<div>

<div dir="ltr">

<div>Hello Ivan,</div>

<div><br>

</div>

<div>Most commonly there may be two main formats of logs that you may encounter.</div>

<div>One is the traditional BSD-style syslog, described in RFC 3164: <a href="https://tools.ietf.org/html/rfc3164" target="_blank">

https://tools.ietf.org/html/rfc3164</a></div>

<div>The other is the IETF-style log format, described in RFC 5424: <a href="https://tools.ietf.org/html/rfc5424" target="_blank">

https://tools.ietf.org/html/rfc5424</a></div>

<div><br>

</div>

<div>In case of syslog-ng you would have to either use</div>

<div>network(transport(tcp|udp))</div>

<div>or</div>

<div>syslog() or network(transport(tcp|udp) flags(syslog-protocol))</div>

<div>respectively.</div>

<div><br>

</div>

<div>The sample logs you included seem to resemble the IETF-style.</div>

<div>What type of source do you have configured in your syslog-ng setup? (Could you please share your config file?)</div>

<div><br>

</div>

<div>Best Regards,</div>

<div>János<br>

</div>

<div>

<div>

<div dir="ltr">

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">

<div>

<div dir="ltr">--</div>

<div dir="ltr">Janos SZIGETVARI<br>

<span>RHCE, License no. <a href="https://www.redhat.com/rhtapps/verify/?certId=150-053-692" target="_blank">

150-053-692</a></span><br>

</div>

<div dir="ltr"><span><br>

</span></div>

<div dir="ltr"><span>LinkedIn: <a href="http://linkedin.com/in/janosszigetvari" target="_blank">

linkedin.com/in/janosszigetvari</a></span><br>

E-mail: <a href="mailto:janos@szigetvari.com" target="_blank">janos@szigetvari.com</a>,

<a href="mailto:jszigetvari@gmail.com" target="_blank">jszigetvari@gmail.com</a></div>

<div dir="ltr">Web: <a href="https://janos.szigetvari.com" target="_blank">janos.szigetvari.com</a><br>

<br>

__@__˚V˚<br>

Make the switch to open (source) applications, protocols, formats now:<br>

- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice<br>

- msn -> jabber protocol (Pidgin, Google Talk)<br>

- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<br>

</div>

</div>

<br>

<div class="gmail_quote">

<div dir="ltr" class="gmail_attr">Ivan Nepryahin - Bercut <<a href="mailto:Ivan.Nepryahin@bercut.com" target="_blank">Ivan.Nepryahin@bercut.com</a>> ezt írta (időpont: 2021. márc. 25., Cs, 14:56):<br>

</div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<div dir="ltr">

<div id="gmail-m_-6619897043450351993gmail-m_606940339469346016gmail-m_4841975196670874397gmail-m_-6357573219866753876divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr">

<p></p>

<div></div>

<div>Hi all!</div>

<div><br>

</div>

<div><br>

</div>

<div><br>

</div>

<div>I think I have a stupid question, but I really dont know how this make.</div>

<div><br>

</div>

<div>Situation: </div>

<div>When I send syslog message with timestamp in  format "1Mar 25 2021 16:35:49" everything works great, but when  I send  message with timestamp in format "1Mar 25 2021 16:35:49<b>+03:00</b>", syslog-ng adding two extra fields with timestamp and IP address

 and due that break down  file naming.</div>

<div><br>

</div>

<div>Question:</div>

<div>How can I say to syslog-ng server do not  add extra fields when he  get message with +03:00  in timestamp?</div>

<div><br>

</div>

<div>message without +03:00</div>

<div></div>

<span>Mar 25 13:11:57 HUAWEI-CORE-OFFICE-1   <bla bla bal></span>

<div><br>

</div>

<div>mesage with  <span style="font-family:Calibri,Helvetica,sans-serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols;font-size:16px">+03:00 </span></div>

<div><span><span>Mar 25 13:46:45 192.168.100.34 Mar 25 2021 16:46:45<b>+03:00</b> HUAWEI-CORE-OFFICE-1 </span> <bla bla bla></span><br>

</div>

<div><br>

</div>

<div><br>

</div>

<div><br>

</div>

<div></div>

<span>I will be appreciate for any advice!</span><br>

<p></p>

<p><span><br>

</span></p>

<p><span><br>

</span></p>

<p><span>P.s sorry for bad english it is not my native language </span></p>

<p><br>

</p>

<p><br>

</p>

<div id="gmail-m_-6619897043450351993gmail-m_606940339469346016gmail-m_4841975196670874397gmail-m_-6357573219866753876Signature">

<div id="gmail-m_-6619897043450351993gmail-m_606940339469346016gmail-m_4841975196670874397gmail-m_-6357573219866753876divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">

<p></p>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="2" color="#2E74B5"><span style="font-size:10pt"><span style="font-size:10pt">best regards</span><span style="font-size:10pt">,</span></span></font></span></font></div>

<span style="font-size:10pt"></span>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="2" color="#0073AF"><span style="font-size:10pt" lang="en-US"><b>Nepryahin Ivan</b></span></font></span></font></div>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#2E74B5"><span style="font-size:10pt" lang="en-US">IT Department</span></font></span></font></div>

<span style="font-size:10pt"></span><span style="font-size:9pt"></span><span style="font-size:10pt"></span>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"><b>Phone</b></span></font><font style="font-family:"Cambria Math",serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"><b>: </b></span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US">+7

 812 327 32 33</span></font></span></font></div>

<div style="color:rgb(33,33,33);font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont;font-size:15px;margin:0px">

<font style="font-family:Calibri,sans-serif,serif,EmojiFont" size="2"><span style="font-size:11pt"><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"><b>Mobile: </b></span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US">+7 </span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#2E74B5"><span style="font-size:8pt" lang="en-US">911

 291 81 68</span></font><font style="font-family:Arial,sans-serif,serif,EmojiFont" size="1" color="#0073AF"><span style="font-size:8pt" lang="en-US"></span></font></span></font></div>

<br>

<p></p>

</div>

</div>

</div>

</div>

______________________________________________________________________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">

https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">

http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">

http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

</blockquote>

</div>

</div>

</div>

______________________________________________________________________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">

https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">

http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">

http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

</blockquote>

</div>

</div>

</div>

______________________________________________________________________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">

https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">

http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">

http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

</blockquote>

</div>

</div>

</body>

</html>