As previously posted, my old v 1.5 syslog-ng daemon had a little problem with SSR syslog messages which incorrectly use "MMM 0D" format instead of "MMM D" format for days 1 to 9 of each month, against RFC3164's strictures, and unlike all other hosts and routers I've come across. As a fix, I first upgraded to 1.6.0rc3 latest snapshot, manually forced one of the SSR's into "tomorrow", and thereby forced a syslog message of the wrong format to be issued as per below: Jul 31 16:54:35 fttv-e7D-ssr-sl1 %CLI-A-COMMAND_EXEC, CLI command (exit ) executed Jul 31 16:55:46 fttv-e7D-ssr-sl1 %CLI-A-COMMAND_EXEC, CLI command (system show date ) executed Aug 01 01:01:01 fttv-e7D-ssr-sl1 %SYS-I-DATE_CHANGE, The system's date has been changed to: 2003-08-01 01:01:01 Aug 01 01:01:07 fttv-e7D-ssr-sl1 %CLI-A-COMMAND_EXEC, CLI command (system show date ) executed Aug 01 01:01:33 fttv-e7D-ssr-sl1 %CONFIG-W-NOTSAVED, Changes made to the running system are not saved to Startup Aug 01 01:01:36 fttv-e7D-ssr-sl1 %SYS-A-CLI_MODE_CHANGE, CLI mode changed to (guest). Aug 01 01:01:36 fttv-e7D-ssr-sl1 %CLI-A-COMMAND_EXEC, CLI command (logout ) executed Which goes to prove that even v1.6 code still 'fails' to auto-correct the broken date-stamp. The patch fix below corrects the problem in src/log.c - simply patch log.c and touch log.c.x and remake the syslog-ng binary. [user@host syslog-ng]$ pwd /usr/src/patches/syslog-ng [user@host syslog-ng]$ diff -u log.c-1.6.0rc3.orig log.c-1.6.0rc3.patched --- log.c-1.6.0rc3.orig Tue Jul 29 09:36:59 2003 +++ log.c-1.6.0rc3.patched Tue Jul 29 10:05:44 2003 @@ -108,6 +108,22 @@ src[9] == ':' && src[12] == ':') { /* Expected buffer format: MMM DD HH:MM:SS ... */ + /* Catcher for violation of RFC3164 para 4.1.2: + "If the day of the month is less than 10, then it MUST + be represented as a space and then the number. + For example, the 7th day of August would be represented + as "Aug 7", with two spaces between the "g" and + the "7"." + + Enterasys Expedition Routers are known to violate + this clause. + + Ted_Rule@flextech.co.uk: 29/07/2003 */ + if ( src[4] == '0' && isdigit(src[5]) && + isdigit(src[7]) && isdigit(src[8]) ) { + src[4] = ' '; + } + /* Just read the buffer data into a textual datestamp. */ lm->date = c_format_cstring("%s", 15, src); [user@host syslog-ng]$ Which resulted in the correct format messages appearing in the actual syslog files, after which time, I flipped the router back to "today" and re-enabled NTP. Jul 31 16:54:35 fttv-e7D-ssr-sl1 %SYS-A-CLI_MODE_CHANGE, CLI mode changed to (enabled). Jul 31 16:54:35 fttv-e7D-ssr-sl1 %CLI-A-COMMAND_EXEC, CLI command (exit ) executed Jul 31 16:55:46 fttv-e7D-ssr-sl1 %CLI-A-COMMAND_EXEC, CLI command (system show date ) executed Aug 01 01:01:01 fttv-e7D-ssr-sl1 %SYS-I-DATE_CHANGE, The system's date has been changed to: 2003-08-01 01:01:01 Aug 01 01:01:07 fttv-e7D-ssr-sl1 %CLI-A-COMMAND_EXEC, CLI command (system show date ) executed Aug 01 01:01:33 fttv-e7D-ssr-sl1 %CONFIG-W-NOTSAVED, Changes made to the running system are not saved to Startup Aug 01 01:01:36 fttv-e7D-ssr-sl1 %SYS-A-CLI_MODE_CHANGE, CLI mode changed to (guest). Aug 01 01:01:36 fttv-e7D-ssr-sl1 %CLI-A-COMMAND_EXEC, CLI command (logout ) executed Aug 1 01:10:22 fttv-e7D-ssr-sl1 %SYS-A-CLI_MODE_CHANGE, CLI mode changed to (guest). Aug 1 01:10:22 fttv-e7D-ssr-sl1 %TELNETD-A-LOGIN, Telnet user login Aug 1 01:10:24 fttv-e7D-ssr-sl1 %SYS-A-CLI_MODE_CHANGE, CLI mode changed to (enabled). Aug 1 01:10:24 fttv-e7D-ssr-sl1 %CLI-A-COMMAND_EXEC, CLI command (en ) executed Jul 31 17:08:00 fttv-e7D-ssr-sl1 %SYS-I-DATE_CHANGE, The system's date has been changed to: 2003-07-31 17:08:00 Jul 31 17:08:05 fttv-e7D-ssr-sl1 %CLI-A-COMMAND_EXEC, CLI command (system show date ) executed Jul 31 17:08:23 fttv-e7D-ssr-sl1 %SYS-A-CLI_MODE_CHANGE, CLI mode changed to (guest). Jul 31 17:08:23 fttv-e7D-ssr-sl1 %CLI-A-COMMAND_EXEC, CLI command (logout ) executed I believe the reason that the date parsing of the original message fails to auto-correct the problem is that the write of msg->date to msg->line in src/affile.c/do_handle_dest__writer() uses the original 15 byte raw date string, rather than rebuild a date string on the fly from the tm struct which is parsed by log.c: static void do_handle_dest_writer(struct log_handler *c, struct log_info *msg) { CAST(affile_dest_writer, self, c); if (self->dest) { struct ol_string *msg_line; if (self->owner->template_output) { msg_line = expand_macros( self->owner->cfg, self->owner->template_output, self->owner->template_escape, msg); } else { msg_line = c_format("%S %S %S\n", msg->date, msg->host, msg->msg); } A_WRITE_STRING(&self->dest->buffer->super, msg_line); if (self->reap) io_callout_set_timeout(self->reap, self->time_reap); } log_info_free(msg); } Ted ************************************************************************************************ This E-mail message, including any attachments, is intended only for the person or entity to which it is addressed, and may contain confidential information. If you are not the intended recipient, any review, retransmission, disclosure, copying, modification or other use of this E-mail message or attachments is strictly forbidden. If you have received this E-mail message in error, please contact the author and delete the message and any attachments from your computer. You are also advised that the views and opinions expressed in this E-mail message and any attachments are the author's own, and may not reflect the views and opinions of FLEXTECH Television Limited. ************************************************************************************************