If syslog-ng is letting you set ts_format on the tcp destination driver (not throwing a syntax error), but isnt using it, then I'd definitely think bug (though this is something the balabit folks should confirm).
An alternate method would be to use a template on the tcp destination driver and explicitly build a format which uses the ISO timestamp. For example:
template t_tcp { template("<$BSDTAG> $ISODATE $HOST $MSGHDR$MESSAGE\n") };
destination d_tcp { tcp('1.2.3.4' template(t_tcp));  };
Note the lack of space between $MSGHDR and $MESSAGE, thats deliberate.

-Patrick



Sent: Fri Apr 06 2012 04:40:07 GMT-0400 (EDT)
From: Chris Hiestand <chiestand@salk.edu>
To: Patrick Hemmer <syslogng@stormcloud9.net>, Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] ts_format(iso) bug or misunderstanding?
Thank you very much for your reply Patrick, that was very helpful.

I have downloaded syslog-ng v3.3 (Debian Wheezy) just to get the latest, and I'm still having a problem.

Based in your advice, I was able to successfully get the iso ts_format if I use the syslog() destination driver. However, if I use the tcp() destination driver, I still cannot get iso ts_format. syslog-ng ignores my parameter and sends old style timestamps.

my driver:
destination My_Syslog { tcp("syslog.server.salk.edu" port(514) ts_format(iso) ); };
log { source(s_src); destination(My_Syslog); };


tcpdump:
@.m..<hw<86>Apr  6 01:24:01 host CRON[1923]: pam_unix(cron:session): session closed for user root

In fact, I have tried all variations of ts_format (rfc3164, bsd, rfc3339, iso) and I always get the same result.

Eventually I will switch to the syslog message protocol, so this is not a show-stopper. But not getting something
to work as advertised is still troubling.

Could I be missing something else? Or might we be in bug/documentation bug territory?

Thanks,
Chris
On Apr 5, 2012, at 7:10 PM, Patrick Hemmer wrote:
Somewhere in between bug and misunderstanding. The bug would be in documentation, but the behavior is deliberate.
The reason is that when sending over the network to a syslog server, the server expects the message in a certain format. When you change the timestamp, that format is now invalid and the remote end might not be able to parse it.

Now you could put `ts_format(iso)` in the `tcp()` destination driver. But if your remote server is looking for a timestamp in ISO format, it probably supports the syslog message protocol, which uses ISO timestamps. Syslog-ng uses the syslog destination driver for sending in this format.

The syslog message protocol looks like this:
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8


The forementioned bug in the documentation is that it says the tcp() destination driver ts_format uses the global ts_format setting. It doesnt.

-Patrick