So I'm using iso timezone format for my syslog clients: options { … ts_format(iso); … }; I expected this to use the iso format for all syslog entries. However, I've found that it only uses iso format for local syslog entries. syslog entries sent to the syslog-ng collector are in old rfc3164 format.
chiestand@host:~$ logger -t my-test asdlfkjasdfasdf
which sends (3 local entries, 1 remote entry):
sudo strace -ff -p 13658 ... write(10, "2012-04-05T18:14:37-07:00 host "..., 64) = 64 write(11, "2012-04-05T18:14:37-07:00 host "..., 64) = 64 write(9, "<13>Apr 5 18:25:09 host my-test"..., 58) = 58 write(14, "2012-04-05T18:14:37-07:00 host "..., 64) = 64
or viewing with tcpdump:
chiestand@host:/var/log$ sudo tcpdump -A host syslog.server.salk.edu … .va<13>Apr 5 18:20:31 host my-test: asdlfkjasdfasdf
I would expect the iso format to be sent to the syslog-ng collector as well. Is this a bug or expected behavior? I checked bugzilla and debian bug tracker and didn't see anything. I'm running syslog-ng v3.1 on Debian squeeze. Thanks, Chris