Hey, Thanks for the reply and the explaination. It not all IOS's/Cisco box's that support enabling of year in log e.g. Catalyst ME3400/4500 I can see that the log i now is getting like this, after i got some of my config to work: -- Message from syslogd@<syslog-ng sender> at Wed Jan 20 10:21:02 2010 ... <syslog-ng sender> Jan 20 10:21:01: %SYS-5-CONFIG_I: Configured from console by <user> on vty0 (<ip>)> -- Martin 2010/1/19 Balazs Scheidler <bazsi@balabit.hu>
On Tue, 2010-01-19 at 13:16 +0100, Marty Sørensen wrote:
Hey Bazsi,
Thanks for the quick reply, great job/service.
Unforturnately it still doesnt work with the config i pasted: -- Jan 19 13:13:45 <hostname> : Jan 19 13:13:44: %SYS-5-CONFIG_I: Configured from console by <username> on vty0 (<ip>) --
There's a colon in the date after the seconds part: 'Jan 19 13:13:44:', is that really there as it is received from the Cisco box?
It resembles most to this format as supported by syslog-ng:
/* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */
However it seems to lack the year information.
The currently supported date formats can be found in logmsg.c, log_msg_parse_date() function:
/* RFC3339 timestamp, expected format: YYYY-MM-DDTHH:MM:SS[.frac]<+/->ZZ:ZZ */ /* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */ /* ASA timestamp, expected format: MMM DD YYYY HH:MM:SS */ /* LinkSys timestamp, expected format: MMM DD HH:MM:SS YYYY */ /* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */
You can enable year in the timestamp above with:
# service timestamps year
If I read this correctly:
http://www.cisco.mn/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g07...
The timestamp above would be fine, if there was no colon at the end. But there is, which causes syslog-ng to expect a year as well.
Martin
2010/1/19 Balazs Scheidler <bazsi@balabit.hu> On Tue, 2010-01-19 at 11:08 +0100, Marty Sørensen wrote: > Hello .... > > New user to syslog-ng but still hoping someone can help me with a > small config example > > Im forwarding syslog from my syslog-ng but when it arrives it has > double timestamps/hostname: > -- > Jan 19 11:02:58 cut-hostname 10.229.5.2 32176: Jan 19 11:02:57: % > SFF8472-5-THRESHOLD_VIOLATION > --
Your Cisco gear is including sequence number in the timestamp which syslog-ng doesn't recognize.
That's the "32176: " prefix before the 2nd timestamp. If you disable that, it'll work.
I'm planning to add support for this field in the future.
-- Bazsi
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html