Somewhere in between bug and misunderstanding. The bug would be in documentation, but the behavior is deliberate.
The reason is that when sending over the network to a syslog server, the server expects the message in a certain format. When you change the timestamp, that format is now invalid and the remote end might not be able to parse it.

Now you could put `ts_format(iso)` in the `tcp()` destination driver. But if your remote server is looking for a timestamp in ISO format, it probably supports the syslog message protocol, which uses ISO timestamps. Syslog-ng uses the syslog destination driver for sending in this format.

The syslog message protocol looks like this:
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8


The forementioned bug in the documentation is that it says the tcp() destination driver ts_format uses the global ts_format setting. It doesnt.

-Patrick



Sent: Thu Apr 05 2012 21:31:54 GMT-0400 (EDT)
From: Chris Hiestand <chiestand@salk.edu>
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng] ts_format(iso) bug or misunderstanding? 
So I'm using iso timezone format for my syslog clients: options { … ts_format(iso); … };

I expected this to use the iso format for all syslog entries. However, I've found that it only uses
iso format for local syslog entries. syslog entries sent to the syslog-ng collector are in old rfc3164
format.


chiestand@host:~$ logger -t my-test asdlfkjasdfasdf




which sends (3 local entries, 1 remote entry):

sudo strace -ff -p 13658
...
write(10, "2012-04-05T18:14:37-07:00 host "..., 64) = 64
write(11, "2012-04-05T18:14:37-07:00 host "..., 64) = 64
write(9, "<13>Apr  5 18:25:09 host my-test"..., 58) = 58
write(14, "2012-04-05T18:14:37-07:00 host "..., 64) = 64


or viewing with tcpdump:

chiestand@host:/var/log$ sudo tcpdump -A host syslog.server.salk.edu
…
.va<13>Apr  5 18:20:31 host my-test: asdlfkjasdfasdf


I would expect the iso format to be sent to the syslog-ng collector as well. Is this a bug or expected
behavior? I checked bugzilla and debian bug tracker and didn't see anything.

I'm running syslog-ng v3.1 on Debian squeeze.

Thanks,
Chris=

 

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq