Somewhere in between bug and misunderstanding. The bug would be in documentation, but the behavior is deliberate. The reason is that when sending over the network to a syslog server, the server expects the message in a certain format. When you change the timestamp, that format is now invalid and the remote end might not be able to parse it. Now you could put `ts_format(iso)` in the `tcp()` destination driver. But if your remote server is looking for a timestamp in ISO format, it probably supports the syslog message protocol <http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/concepts_message_ietfsyslog.html>, which uses ISO timestamps. Syslog-ng uses the syslog <http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_destination_syslog.html> destination driver for sending in this format. The syslog message protocol looks like this: <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8 The forementioned bug in the documentation is that it says the tcp() destination driver ts_format uses the global ts_format setting. It doesnt. -Patrick Sent: Thu Apr 05 2012 21:31:54 GMT-0400 (EDT) From: Chris Hiestand <chiestand@salk.edu> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] ts_format(iso) bug or misunderstanding?
So I'm using iso timezone format for my syslog clients: options { ... ts_format(iso); ... };
I expected this to use the iso format for all syslog entries. However, I've found that it only uses iso format for local syslog entries. syslog entries sent to the syslog-ng collector are in old rfc3164 format.
chiestand@host:~$ logger -t my-test asdlfkjasdfasdf
which sends (3 local entries, 1 remote entry):
sudo strace -ff -p 13658 ... write(10, "2012-04-05T18:14:37-07:00 host "..., 64) = 64 write(11, "2012-04-05T18:14:37-07:00 host "..., 64) = 64 write(9, "<13>Apr 5 18:25:09 host my-test"..., 58) = 58 write(14, "2012-04-05T18:14:37-07:00 host "..., 64) = 64
or viewing with tcpdump:
chiestand@host:/var/log$ sudo tcpdump -A host syslog.server.salk.edu ... .va<13>Apr 5 18:20:31 host my-test: asdlfkjasdfasdf
I would expect the iso format to be sent to the syslog-ng collector as well. Is this a bug or expected behavior? I checked bugzilla and debian bug tracker and didn't see anything.
I'm running syslog-ng v3.1 on Debian squeeze.
Thanks, Chris=
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq