On Wed, 2007-06-13 at 12:33 +0200, Giulio Botto wrote:
Balazs Scheidler wrote:
On Thu, 2007-06-07 at 11:57 +0200, Giulio Botto wrote:
Hello,
I'm new to both syslog-ng and the list so I first tried the docs and archives, but couldn't find anything enlightening.
We have a syslog-ng 2.0.3 running on CentOS 5 and some Cisco PIX appliances sending their logs to it.
If my understanding is correct I should be receiving the sender's timestamp and should be able to log it in my log files instead of the the receiving timestamp by application of the S_DATE macro.
If syslog-ng received an invalid timestamp or no timestamp, it generates a new value for S_DATE based on the local time.
Can you post a sample log message as received by syslog-ng? a tcpdump or an strace dump with the string size set to a high value (-s 4096 for instance) could be helpful.
PIX uses a funny timestamp, that syslog-ng could not understand. Can you check if this patch fixes the issue: --- a/src/logmsg.c +++ b/src/logmsg.c @@ -268,6 +268,32 @@ log_msg_parse(LogMessage *self, gchar *data, gint length, guint flags, regex_t * src += stamp_length; left -= stamp_length; } + else if (left >= 21 && src[3] == ' ' && src[6] == ' ' && src[11] == ' ' && src[14] == ':' && src[17] == ':' && src[20] == ':') + { + /* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */ + + struct tm tm, *nowtm; + + /* Just read the buffer data into a textual + datestamp. */ + + g_string_assign_len(&self->date, src, 21); + src += 21; + left -= 21; + + /* And also make struct time timestamp for the msg */ + + nowtm = localtime(&now); + tm = *nowtm; + strptime(self->date.str, "%b %e %Y %H:%M:%S:", &tm); + tm.tm_isdst = -1; + + /* NOTE: no timezone information in the message, assume it is local time */ + self->stamp.time.tv_sec = mktime(&tm); + self->stamp.time.tv_usec = 0; + self->stamp.zone_offset = get_local_timezone_ofs(self->stamp.time.tv_sec); /* assume local timezone */ + + } else if (left >= 15 && src[3] == ' ' && src[6] == ' ' && src[9] == ':' && src[12] == ':') { /* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */ -- Bazsi