Re: [syslog-ng] RFC3339 fractional second logging
On Fri, 2006-02-10 at 08:29 -0500, rlott@ivhs.com wrote:
Okay, I have this in my syslog-ng.conf:
options { dir_perm(0755); perm(0644); chain_hostnames(no); ts_format("iso"); keep_hostname(yes); }; ...
# local0.debug /var/log/ngr/ngr_3456_A.log
filter f_12 { facility(local0) and level(debug.emerg); };
destination d_8 { file("/var/log/ngr/ngr_3456_A_$MONTH$DAY$YEAR.log" template("$R_ISODATE $HOST $MSG\n") template_escape(no) create_dirs(yes) ); };
log { source(local); filter(f_12); destination(d_8); };
And this is an entry from the corresponding log:
2006-02-10T07:45:15-05:00 localhost <rest of message>
If the timestamp in this case is using the received timestamp, how is this being transmitted/delivered? Is it being done in ASCII and, if so, is it possible that the fractional portions are not being included?
There are two timestamps per message: 1) the one in the message as received from the peer, it will never contain fractions except when the message was generated by syslog-ng and this information was also sent by using a custom template (syslog-ng tries to remain compatible with existing syslog devices by default, thus it does -- Bazsi
On Sun, 2006-02-12 at 11:37 +0100, Balazs Scheidler wrote:
On Fri, 2006-02-10 at 08:29 -0500, rlott@ivhs.com wrote:
Okay, I have this in my syslog-ng.conf:
options { dir_perm(0755); perm(0644); chain_hostnames(no); ts_format("iso"); keep_hostname(yes); }; ...
# local0.debug /var/log/ngr/ngr_3456_A.log
filter f_12 { facility(local0) and level(debug.emerg); };
destination d_8 { file("/var/log/ngr/ngr_3456_A_$MONTH$DAY$YEAR.log" template("$R_ISODATE $HOST $MSG\n") template_escape(no) create_dirs(yes) ); };
log { source(local); filter(f_12); destination(d_8); };
And this is an entry from the corresponding log:
2006-02-10T07:45:15-05:00 localhost <rest of message>
If the timestamp in this case is using the received timestamp, how is this being transmitted/delivered? Is it being done in ASCII and, if so, is it possible that the fractional portions are not being included?
There are two timestamps per message: 1) the one in the message as received from the peer, it will never contain fractions except when the message was generated by syslog-ng and this information was also sent by using a custom template (syslog-ng tries to remain compatible with existing syslog devices by default, thus it does
Sorry, I accidentaly pressed Send before finishing my last email. So there are two timestamps per message: 1) the one in the message as received from the peer, it will never contain fractions except when the message was generated by syslog-ng and this information was also sent by using a custom template (syslog-ng tries to remain compatible with existing syslog devices by default, thus it does not send an extended timestamp) Macros referencing this timestamp begin with "S_" (for stamp) 2) the one assigned by syslog-ng when the message was received from the peer. This should always contain fractions. These stamps begin with "R_" (for received) The prefixes might not be very intuitive, their naming is historical heritage :) Thus the example configuration that you sent above should indeed include the time fractions, but not because the peer sends it, but because syslog-ng generates R_ timestamps locally as the messages arrive. However it does not work for some reason. Let me check it and get back to you. -- Bazsi
On Sun, 2006-02-12 at 11:44 +0100, Balazs Scheidler wrote:
On Sun, 2006-02-12 at 11:37 +0100, Balazs Scheidler wrote:
On Fri, 2006-02-10 at 08:29 -0500, rlott@ivhs.com wrote:
So there are two timestamps per message:
1) the one in the message as received from the peer, it will never contain fractions except when the message was generated by syslog-ng and this information was also sent by using a custom template (syslog-ng tries to remain compatible with existing syslog devices by default, thus it does not send an extended timestamp) Macros referencing this timestamp begin with "S_" (for stamp)
2) the one assigned by syslog-ng when the message was received from the peer. This should always contain fractions. These stamps begin with "R_" (for received)
The prefixes might not be very intuitive, their naming is historical heritage :)
Thus the example configuration that you sent above should indeed include the time fractions, but not because the peer sends it, but because syslog-ng generates R_ timestamps locally as the messages arrive.
However it does not work for some reason. Let me check it and get back to you.
I've just committed a patchset that should fix this functionality. I also added frac_digits() option which controls how precisely time fractions should be represented. (again, you need tomorrow's snapshot) This is my test configuration: options { file_template(t_file); proto_template(t_proto); ts_format(iso); normalize_hostnames(yes); }; template t_file { template("<$PRI>$ISODATE $HOST $MSG\n"); template-escape(no); }; template t_proto { template("<$PRI>$ISODATE $HOST $MSG\n"); template-escape(no); }; source s_udp { unix-stream("log"); udp(ip("0.0.0.0") port(2000) flags(kernel) keep-timestamp(no)); }; destination d_file { file("/home/bazsi/zwa/install/syslog-ng-2.0/logs/messages"); udp("localhost" port(3000) frac_digits(6)); }; log { source(s_udp); destination(d_file); }; -- Bazsi
participants (2)
-
Balazs Scheidler
-
rlott@ivhs.com