Balazs Scheidler wrote:
On Thu, 2007-06-07 at 11:57 +0200, Giulio Botto wrote:
Hello,
I'm new to both syslog-ng and the list so I first tried the docs and archives, but couldn't find anything enlightening.
We have a syslog-ng 2.0.3 running on CentOS 5 and some Cisco PIX appliances sending their logs to it.
If my understanding is correct I should be receiving the sender's timestamp and should be able to log it in my log files instead of the the receiving timestamp by application of the S_DATE macro.
If syslog-ng received an invalid timestamp or no timestamp, it generates a new value for S_DATE based on the local time.
Can you post a sample log message as received by syslog-ng? a tcpdump or an strace dump with the string size set to a high value (-s 4096 for instance) could be helpful.
# tcpdump -s0 -x -X host 10.13.122.245 12:28:50.119966 IP 10.13.122.245.syslog > 10.13.102.12.syslog: SYSLOG local7.info, length: 188 0x0000: 4500 00d8 fdf1 0000 fc11 cb07 0a0d 7af5 E.............z. 0x0010: 0a0d 660c 0202 0202 00c4 c214 3c31 3930 ..f.........<190 0x0020: 3e41 7072 2031 3520 3230 3037 2032 313a >Apr.15.2007.21: 0x0030: 3238 3a31 333a 2025 5049 582d 362d 3330 28:13:.%PIX-6-30 0x0040: 3230 3133 3a20 4275 696c 7420 6f75 7462 2013:.Built.outb 0x0050: 6f75 6e64 2054 4350 2063 6f6e 6e65 6374 ound.TCP.connect 0x0060: 696f 6e20 3136 3838 3534 3020 666f 7220 ion.1688540.for. 0x0070: 626c 6f6f 6d62 6572 672d 6e65 743a 3230 bloomberg-net:20 0x0080: 382e 3133 342e 3136 312e 3132 2f38 3239 8.134.161.12/829 0x0090: 3420 2832 3038 2e31 3334 2e31 3631 2e31 4.(208.134.161.1 0x00a0: 322f 3832 3934 2920 746f 2069 6e73 6964 2/8294).to.insid 0x00b0: 653a 3130 2e31 3736 2e33 312e 3234 2f33 e:10.176.31.24/3 0x00c0: 3636 3920 2831 302e 3137 362e 3331 2e32 669.(10.176.31.2 0x00d0: 342f 3336 3639 290a 4/3669). 12:28:50.223642 IP 10.13.122.245.syslog > 10.13.102.12.syslog: SYSLOG local7.info, length: 178 0x0000: 4500 00ce fdf3 0000 fc11 cb0f 0a0d 7af5 E.............z. 0x0010: 0a0d 660c 0202 0202 00ba c26c 3c31 3930 ..f........l<190 0x0020: 3e41 7072 2031 3520 3230 3037 2032 313a >Apr.15.2007.21: 0x0030: 3238 3a31 333a 2025 5049 582d 362d 3330 28:13:.%PIX-6-30 0x0040: 3230 3134 3a20 5465 6172 646f 776e 2054 2014:.Teardown.T 0x0050: 4350 2063 6f6e 6e65 6374 696f 6e20 3136 CP.connection.16 0x0060: 3838 3433 3820 666f 7220 626c 6f6f 6d62 88438.for.bloomb 0x0070: 6572 672d 6e65 743a 3230 382e 3133 342e erg-net:208.134. 0x0080: 3136 312e 3132 2f38 3239 3420 746f 2069 161.12/8294.to.i 0x0090: 6e73 6964 653a 3130 2e31 3736 2e33 312e nside:10.176.31. 0x00a0: 3234 2f33 3633 3920 6475 7261 7469 6f6e 24/3639.duration 0x00b0: 2030 3a30 373a 3031 2062 7974 6573 2031 .0:07:01.bytes.1 0x00c0: 3639 3735 2054 4350 2046 494e 730a 6975.TCP.FINs. 12:28:52.667328 IP 10.13.122.245.syslog > 10.13.102.12.syslog: SYSLOG local7.warning, length: 152 0x0000: 4500 00b4 fdfa 0000 fc11 cb22 0a0d 7af5 E.........."..z. 0x0010: 0a0d 660c 0202 0202 00a0 fdc4 3c31 3838 ..f.........<188 0x0020: 3e41 7072 2031 3520 3230 3037 2032 313a >Apr.15.2007.21: 0x0030: 3238 3a31 353a 2025 5049 582d 342d 3130 28:15:.%PIX-4-10 0x0040: 3630 3233 3a20 4465 6e79 2075 6470 2073 6023:.Deny.udp.s 0x0050: 7263 2062 6c6f 6f6d 6265 7267 2d6e 6574 rc.bloomberg-net 0x0060: 3a31 3939 2e31 3035 2e31 3831 2e35 302f :199.105.181.50/ 0x0070: 3438 3133 3020 6473 7420 696e 7369 6465 48130.dst.inside 0x0080: 3a31 302e 3137 362e 3334 2e38 362f 3438 :10.176.34.86/48 0x0090: 3132 3920 6279 2061 6363 6573 732d 6772 129.by.access-gr 0x00a0: 6f75 7020 2242 4c4f 4f4d 4245 5247 2d4e oup."BLOOMBERG-N 0x00b0: 4554 220a ET". TIA, -- Giulio Botto -- madecto@sangria.org.il PGP fingerprint = 1979 A78A 8F82 DB5E 55E9 D6D6 6AB6 0BA9 FDB7 6789