On Sat, Apr 26, 2003 at 11:20:36PM +1200, Jason Haar wrote:
On Fri, Apr 25, 2003 at 09:06:25PM +0200, Balazs Scheidler wrote:
SYSLOG: SYSLOG: "<172>Apr 25 2003 14:06:02: %PIX-4-106023: Deny tcp src insid" SYSLOG:
as it seems the problem is caused by the bad date stamp. I might add support for this stamp if you are willing to test it.
Is it really needed? This "issue" is caused by Cisco routers. It is optional to configure them to timestamp each syslog transmission themselves - instead of relying on the Syslog server to do it - as all other syslog clients I've ever come across do.
Personally, I think this Cisco "feature" sucks ;-) I trust the clock on the Syslog server - I don't trust the clock on some remote router...
I'd suggest that Robin fix up the Ciscos rather than "fix" syslog-ng when it isn't broken...
If it is needed, at least make it optional so that you can choose to:
a) ignore it (old behaviour) b) allow timestamp to override Syslog server timestamp (why would you ever want this?) c) skip the timestamp - so that the syslog record looks like the Cisco was correctly configured ;-)
it is already possible to override the sender's timestamp by using the use_time_recvd() global option (which affects macro expansion), or one of the time macros prefixed by 'S_' e.g. destination router_logs { file("/var/log/messages" template("$DATE $HOST $MSG\n"); }; outputs the timestamp as received from the sender when use_time_recvd = no, and the server's timestamp when use_time_recvd = yes. But you can refer to these properties of the messages directly by either using the R_DATE or the S_DATE macros. The possibility to recognize sent timestamps (while allowing to override it) is good IMHO. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1