Thank you all for your assistance.

 

It appears since my email that Splunk may have a part to play with this issue as stopping and starting the forwarder resolves the issue for the most part.

 

I believe this can probably be cleared as an issue on the syslog-ng side. The same configuration works for vast majority of other logs coming in via syslog.

 

Thank you again for all your help

 

Kind Regards,

 

Gerald

 

 

From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Scot
Sent: Wednesday, 22 November 2017 5:52 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] syslog-ng events in log timestamping wrong

 

destination d_file { file("/opt/syslog-ng/logs/$R_YEAR$R_MONTH$R_DAY/$HOST_FROM-$R_HOUR.log");}; 

 

 

On Tue, Nov 21, 2017 at 12:51 AM, Scheidler, Balázs <balazs.scheidler@balabit.com> wrote:

Can you pls show a more concrete sample? I dont understand "are being timestamped at the rotation time".

 

3.2 is ancient but I am not sure any newer stuff is available on cygwin.

 

 

On Nov 21, 2017 00:29, "Contreras, Gerald (DPS)" <Gerald.Contreras@aph.gov.au> wrote:

Hi All,

I am very new to syslog-ng via Cygwin.

I am having trouble with MWG proxy logs where individual events inside the log are being timestamped at the rotation time (timestamping at 00:00-00:01AM).
This happens intermittently so the problem isn't constant. I have verified via packet captures that the timestamp is correct up until syslog-ng begins to handle the event and write it to the log.

My syslog-ng.conf is as follows

===============================================================
@version: 3.2

@include "scl.conf"


options {

    create_dirs(yes);

    use_dns(yes);

    dns_cache_hosts(/etc/hosts);

    dns_cache_expire(3600);

    chain_hostnames(0);

    log_fifo_size(512);

    perm(0644);

    dir_perm(0755);

    time_reopen(10);

    time_reap(360);

    use_fqdn(no);

    keep_hostname(no);

    stats_freq(0);

};


source s_network {

    udp(port("514"));

};


destination s_files {

    file("/cygdrive/d/syslog/$HOST/$HOST-$MONTH-$DAY.log" create_dirs(yes));

};

log { source(s_network); destination(s_files); };
==============================================================

Thanks. Any help or direction would be much appreciated



Important Notice: If you have received this email by mistake, please advise the sender and delete the message and attachments immediately. This email, including attachments, may contain confidential, sensitive, legally privileged and/or copyright information. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited.

Please consider the environment before printing this email.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

 


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

 

Important Notice: If you have received this email by mistake, please advise the sender and delete the message and attachments immediately. This email, including attachments, may contain confidential, sensitive, legally privileged and/or copyright information. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited.

Please consider the environment before printing this email.