Thank you all for your assistance. It appears since my email that Splunk may have a part to play with this issue as stopping and starting the forwarder resolves the issue for the most part. I believe this can probably be cleared as an issue on the syslog-ng side. The same configuration works for vast majority of other logs coming in via syslog. Thank you again for all your help Kind Regards, Gerald From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Scot Sent: Wednesday, 22 November 2017 5:52 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] syslog-ng events in log timestamping wrong destination d_file { file("/opt/syslog-ng/logs/$R_YEAR$R_MONTH$R_DAY/$HOST_FROM-$R_HOUR.log");}; On Tue, Nov 21, 2017 at 12:51 AM, Scheidler, Balázs <balazs.scheidler@balabit.com<mailto:balazs.scheidler@balabit.com>> wrote: Can you pls show a more concrete sample? I dont understand "are being timestamped at the rotation time". 3.2 is ancient but I am not sure any newer stuff is available on cygwin. On Nov 21, 2017 00:29, "Contreras, Gerald (DPS)" <Gerald.Contreras@aph.gov.au<mailto:Gerald.Contreras@aph.gov.au>> wrote: Hi All, I am very new to syslog-ng via Cygwin. I am having trouble with MWG proxy logs where individual events inside the log are being timestamped at the rotation time (timestamping at 00:00-00:01AM). This happens intermittently so the problem isn't constant. I have verified via packet captures that the timestamp is correct up until syslog-ng begins to handle the event and write it to the log. My syslog-ng.conf is as follows =============================================================== @version: 3.2 @include "scl.conf" options { create_dirs(yes); use_dns(yes); dns_cache_hosts(/etc/hosts); dns_cache_expire(3600); chain_hostnames(0); log_fifo_size(512); perm(0644); dir_perm(0755); time_reopen(10); time_reap(360); use_fqdn(no); keep_hostname(no); stats_freq(0); }; source s_network { udp(port("514")); }; destination s_files { file("/cygdrive/d/syslog/$HOST/$HOST-$MONTH-$DAY.log" create_dirs(yes)); }; log { source(s_network); destination(s_files); }; ============================================================== Thanks. Any help or direction would be much appreciated Important Notice: If you have received this email by mistake, please advise the sender and delete the message and attachments immediately. This email, including attachments, may contain confidential, sensitive, legally privileged and/or copyright information. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. Please consider the environment before printing this email. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq Important Notice: If you have received this email by mistake, please advise the sender and delete the message and attachments immediately. This email, including attachments, may contain confidential, sensitive, legally privileged and/or copyright information. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. Please consider the environment before printing this email.