Hello, I'm new to both syslog-ng and the list so I first tried the docs and archives, but couldn't find anything enlightening. We have a syslog-ng 2.0.3 running on CentOS 5 and some Cisco PIX appliances sending their logs to it. If my understanding is correct I should be receiving the sender's timestamp and should be able to log it in my log files instead of the the receiving timestamp by application of the S_DATE macro. We tried changeing the time on one of the PIXes in the assumption we'd see it's timestamp on our logfile, but continued to see the receiving time no matter what macro we used in our template. Any hint to what I'me getting wrong will be very much appreciated. Below is the relevant configuration: options { use_dns(yes); dns_cache_hosts(/etc/hosts); dns_cache_expire(87600); chain_hostnames(no); use_time_recvd(no); }; source s_remote { tcp(ip(0.0.0.0) port(514) keep_timestamp(yes)); udp(ip(0.0.0.0) port(514) keep_timestamp(yes)); }; destination d_separatedbyhosts { file("/var/log/syslog-ng/$HOST.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes) template("<$PRI>$S_DATE $HOST $MSG\n") template-escape(no)); }; -- Giulio Botto -- madecto@sangria.org.il PGP fingerprint = 1979 A78A 8F82 DB5E 55E9 D6D6 6AB6 0BA9 FDB7 6789
On Thu, 2007-06-07 at 11:57 +0200, Giulio Botto wrote:
Hello,
I'm new to both syslog-ng and the list so I first tried the docs and archives, but couldn't find anything enlightening.
We have a syslog-ng 2.0.3 running on CentOS 5 and some Cisco PIX appliances sending their logs to it.
If my understanding is correct I should be receiving the sender's timestamp and should be able to log it in my log files instead of the the receiving timestamp by application of the S_DATE macro.
If syslog-ng received an invalid timestamp or no timestamp, it generates a new value for S_DATE based on the local time. Can you post a sample log message as received by syslog-ng? a tcpdump or an strace dump with the string size set to a high value (-s 4096 for instance) could be helpful. -- Bazsi
Balazs Scheidler wrote:
On Thu, 2007-06-07 at 11:57 +0200, Giulio Botto wrote:
Hello,
I'm new to both syslog-ng and the list so I first tried the docs and archives, but couldn't find anything enlightening.
We have a syslog-ng 2.0.3 running on CentOS 5 and some Cisco PIX appliances sending their logs to it.
If my understanding is correct I should be receiving the sender's timestamp and should be able to log it in my log files instead of the the receiving timestamp by application of the S_DATE macro.
If syslog-ng received an invalid timestamp or no timestamp, it generates a new value for S_DATE based on the local time.
Can you post a sample log message as received by syslog-ng? a tcpdump or an strace dump with the string size set to a high value (-s 4096 for instance) could be helpful.
# tcpdump -s0 -x -X host 10.13.122.245 12:28:50.119966 IP 10.13.122.245.syslog > 10.13.102.12.syslog: SYSLOG local7.info, length: 188 0x0000: 4500 00d8 fdf1 0000 fc11 cb07 0a0d 7af5 E.............z. 0x0010: 0a0d 660c 0202 0202 00c4 c214 3c31 3930 ..f.........<190 0x0020: 3e41 7072 2031 3520 3230 3037 2032 313a >Apr.15.2007.21: 0x0030: 3238 3a31 333a 2025 5049 582d 362d 3330 28:13:.%PIX-6-30 0x0040: 3230 3133 3a20 4275 696c 7420 6f75 7462 2013:.Built.outb 0x0050: 6f75 6e64 2054 4350 2063 6f6e 6e65 6374 ound.TCP.connect 0x0060: 696f 6e20 3136 3838 3534 3020 666f 7220 ion.1688540.for. 0x0070: 626c 6f6f 6d62 6572 672d 6e65 743a 3230 bloomberg-net:20 0x0080: 382e 3133 342e 3136 312e 3132 2f38 3239 8.134.161.12/829 0x0090: 3420 2832 3038 2e31 3334 2e31 3631 2e31 4.(208.134.161.1 0x00a0: 322f 3832 3934 2920 746f 2069 6e73 6964 2/8294).to.insid 0x00b0: 653a 3130 2e31 3736 2e33 312e 3234 2f33 e:10.176.31.24/3 0x00c0: 3636 3920 2831 302e 3137 362e 3331 2e32 669.(10.176.31.2 0x00d0: 342f 3336 3639 290a 4/3669). 12:28:50.223642 IP 10.13.122.245.syslog > 10.13.102.12.syslog: SYSLOG local7.info, length: 178 0x0000: 4500 00ce fdf3 0000 fc11 cb0f 0a0d 7af5 E.............z. 0x0010: 0a0d 660c 0202 0202 00ba c26c 3c31 3930 ..f........l<190 0x0020: 3e41 7072 2031 3520 3230 3037 2032 313a >Apr.15.2007.21: 0x0030: 3238 3a31 333a 2025 5049 582d 362d 3330 28:13:.%PIX-6-30 0x0040: 3230 3134 3a20 5465 6172 646f 776e 2054 2014:.Teardown.T 0x0050: 4350 2063 6f6e 6e65 6374 696f 6e20 3136 CP.connection.16 0x0060: 3838 3433 3820 666f 7220 626c 6f6f 6d62 88438.for.bloomb 0x0070: 6572 672d 6e65 743a 3230 382e 3133 342e erg-net:208.134. 0x0080: 3136 312e 3132 2f38 3239 3420 746f 2069 161.12/8294.to.i 0x0090: 6e73 6964 653a 3130 2e31 3736 2e33 312e nside:10.176.31. 0x00a0: 3234 2f33 3633 3920 6475 7261 7469 6f6e 24/3639.duration 0x00b0: 2030 3a30 373a 3031 2062 7974 6573 2031 .0:07:01.bytes.1 0x00c0: 3639 3735 2054 4350 2046 494e 730a 6975.TCP.FINs. 12:28:52.667328 IP 10.13.122.245.syslog > 10.13.102.12.syslog: SYSLOG local7.warning, length: 152 0x0000: 4500 00b4 fdfa 0000 fc11 cb22 0a0d 7af5 E.........."..z. 0x0010: 0a0d 660c 0202 0202 00a0 fdc4 3c31 3838 ..f.........<188 0x0020: 3e41 7072 2031 3520 3230 3037 2032 313a >Apr.15.2007.21: 0x0030: 3238 3a31 353a 2025 5049 582d 342d 3130 28:15:.%PIX-4-10 0x0040: 3630 3233 3a20 4465 6e79 2075 6470 2073 6023:.Deny.udp.s 0x0050: 7263 2062 6c6f 6f6d 6265 7267 2d6e 6574 rc.bloomberg-net 0x0060: 3a31 3939 2e31 3035 2e31 3831 2e35 302f :199.105.181.50/ 0x0070: 3438 3133 3020 6473 7420 696e 7369 6465 48130.dst.inside 0x0080: 3a31 302e 3137 362e 3334 2e38 362f 3438 :10.176.34.86/48 0x0090: 3132 3920 6279 2061 6363 6573 732d 6772 129.by.access-gr 0x00a0: 6f75 7020 2242 4c4f 4f4d 4245 5247 2d4e oup."BLOOMBERG-N 0x00b0: 4554 220a ET". TIA, -- Giulio Botto -- madecto@sangria.org.il PGP fingerprint = 1979 A78A 8F82 DB5E 55E9 D6D6 6AB6 0BA9 FDB7 6789
On Wed, 2007-06-13 at 12:33 +0200, Giulio Botto wrote:
Balazs Scheidler wrote:
On Thu, 2007-06-07 at 11:57 +0200, Giulio Botto wrote:
Hello,
I'm new to both syslog-ng and the list so I first tried the docs and archives, but couldn't find anything enlightening.
We have a syslog-ng 2.0.3 running on CentOS 5 and some Cisco PIX appliances sending their logs to it.
If my understanding is correct I should be receiving the sender's timestamp and should be able to log it in my log files instead of the the receiving timestamp by application of the S_DATE macro.
If syslog-ng received an invalid timestamp or no timestamp, it generates a new value for S_DATE based on the local time.
Can you post a sample log message as received by syslog-ng? a tcpdump or an strace dump with the string size set to a high value (-s 4096 for instance) could be helpful.
PIX uses a funny timestamp, that syslog-ng could not understand. Can you check if this patch fixes the issue: --- a/src/logmsg.c +++ b/src/logmsg.c @@ -268,6 +268,32 @@ log_msg_parse(LogMessage *self, gchar *data, gint length, guint flags, regex_t * src += stamp_length; left -= stamp_length; } + else if (left >= 21 && src[3] == ' ' && src[6] == ' ' && src[11] == ' ' && src[14] == ':' && src[17] == ':' && src[20] == ':') + { + /* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */ + + struct tm tm, *nowtm; + + /* Just read the buffer data into a textual + datestamp. */ + + g_string_assign_len(&self->date, src, 21); + src += 21; + left -= 21; + + /* And also make struct time timestamp for the msg */ + + nowtm = localtime(&now); + tm = *nowtm; + strptime(self->date.str, "%b %e %Y %H:%M:%S:", &tm); + tm.tm_isdst = -1; + + /* NOTE: no timezone information in the message, assume it is local time */ + self->stamp.time.tv_sec = mktime(&tm); + self->stamp.time.tv_usec = 0; + self->stamp.zone_offset = get_local_timezone_ofs(self->stamp.time.tv_sec); /* assume local timezone */ + + } else if (left >= 15 && src[3] == ' ' && src[6] == ' ' && src[9] == ':' && src[12] == ':') { /* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */ -- Bazsi
Balazs Scheidler wrote:
On Wed, 2007-06-13 at 12:33 +0200, Giulio Botto wrote:
Balazs Scheidler wrote:
On Thu, 2007-06-07 at 11:57 +0200, Giulio Botto wrote:
Hello,
I'm new to both syslog-ng and the list so I first tried the docs and archives, but couldn't find anything enlightening.
We have a syslog-ng 2.0.3 running on CentOS 5 and some Cisco PIX appliances sending their logs to it.
If my understanding is correct I should be receiving the sender's timestamp and should be able to log it in my log files instead of the the receiving timestamp by application of the S_DATE macro. If syslog-ng received an invalid timestamp or no timestamp, it generates a new value for S_DATE based on the local time.
Can you post a sample log message as received by syslog-ng? a tcpdump or an strace dump with the string size set to a high value (-s 4096 for instance) could be helpful.
PIX uses a funny timestamp, that syslog-ng could not understand. Can you check if this patch fixes the issue:
[...] Works perfectly, thanks! -- Giulio Botto -- madecto@sangria.org.il PGP fingerprint = 1979 A78A 8F82 DB5E 55E9 D6D6 6AB6 0BA9 FDB7 6789
participants (2)
-
Balazs Scheidler
-
Giulio Botto