In fact, I have tried all variations of ts_format (rfc3164, bsd, rfc3339, iso) and I always get the same result.
Eventually I will switch to the syslog message protocol, so this is not a show-stopper. But not getting something
to work as advertised is still troubling.
Could I be missing something else? Or might we be in bug/documentation bug territory?
Thanks,
Chris
On Apr 5, 2012, at 7:10 PM, Patrick Hemmer wrote:
Somewhere in between bug and misunderstanding.
The bug would be in documentation, but the behavior is deliberate.
The reason is that when sending over the network to a syslog
server, the server expects the message in a certain format. When
you change the timestamp, that format is now invalid and the
remote end might not be able to parse it.
Now you could put `ts_format(iso)` in the `tcp()` destination
driver. But if your remote server is looking for a timestamp in
ISO format, it probably supports the syslog
message protocol, which uses ISO timestamps. Syslog-ng uses
the syslog
destination driver for sending in this format.
The syslog message protocol looks like this:
<34>1
2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 -
BOM'su root' failed for lonvick on /dev/pts/8
The forementioned bug in the documentation is that it says the
tcp() destination driver ts_format uses the global ts_format
setting. It doesnt.
-Patrick