Remove double timestamping
Hello .... New user to syslog-ng but still hoping someone can help me with a small config example Im forwarding syslog from my syslog-ng but when it arrives it has double timestamps/hostname: -- Jan 19 11:02:58 cut-hostname 10.229.5.2 32176: Jan 19 11:02:57: %SFF8472-5-THRESHOLD_VIOLATION -- I have addet this info my config: options { use_time_recvd(yes); keep_hostname(no); } also included: destination udp_forward { udp("<my ip>"); }; template fjern { template("$MSGONLY\n"); }; destination cisco_cupe { file("/var/log/cisco_cupe" template("fjern")); }; log { source(s_all); filter(local5); destination(cisco_cupe); destination(udp_forward); }; Cheers Martin
On Tue, 2010-01-19 at 11:08 +0100, Marty Sørensen wrote:
Hello ....
New user to syslog-ng but still hoping someone can help me with a small config example
Im forwarding syslog from my syslog-ng but when it arrives it has double timestamps/hostname: -- Jan 19 11:02:58 cut-hostname 10.229.5.2 32176: Jan 19 11:02:57: % SFF8472-5-THRESHOLD_VIOLATION --
Your Cisco gear is including sequence number in the timestamp which syslog-ng doesn't recognize. That's the "32176: " prefix before the 2nd timestamp. If you disable that, it'll work. I'm planning to add support for this field in the future. -- Bazsi
Hey Bazsi, Thanks for the quick reply, great job/service. Unforturnately it still doesnt work with the config i pasted: -- Jan 19 13:13:45 <hostname> : Jan 19 13:13:44: %SYS-5-CONFIG_I: Configured from console by <username> on vty0 (<ip>) -- Martin 2010/1/19 Balazs Scheidler <bazsi@balabit.hu>
On Tue, 2010-01-19 at 11:08 +0100, Marty Sørensen wrote:
Hello ....
New user to syslog-ng but still hoping someone can help me with a small config example
Im forwarding syslog from my syslog-ng but when it arrives it has double timestamps/hostname: -- Jan 19 11:02:58 cut-hostname 10.229.5.2 32176: Jan 19 11:02:57: % SFF8472-5-THRESHOLD_VIOLATION --
Your Cisco gear is including sequence number in the timestamp which syslog-ng doesn't recognize.
That's the "32176: " prefix before the 2nd timestamp. If you disable that, it'll work.
I'm planning to add support for this field in the future.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Along those same lines, the Cisco MDS series of SAN switches (along with IOS-XR, I'm told) sends non-RFC dates like "2010 Jan 01 00:00:01" instead of "Jan 01 2010 00:00:01" as per the RFC. Rewriting seems impossible since the macro fields for $PROGRAM and $MSG aren't populated correctly to begin with. If support for that wacky date format could be added, that would be great. Thanks, Martin On Tue, Jan 19, 2010 at 6:16 AM, Marty Sørensen <buzzwork@gmail.com> wrote:
Hey Bazsi,
Thanks for the quick reply, great job/service.
Unforturnately it still doesnt work with the config i pasted: -- Jan 19 13:13:45 <hostname> : Jan 19 13:13:44: %SYS-5-CONFIG_I: Configured from console by <username> on vty0 (<ip>) --
Martin
2010/1/19 Balazs Scheidler <bazsi@balabit.hu>
On Tue, 2010-01-19 at 11:08 +0100, Marty Sørensen wrote:
Hello ....
New user to syslog-ng but still hoping someone can help me with a small config example
Im forwarding syslog from my syslog-ng but when it arrives it has double timestamps/hostname: -- Jan 19 11:02:58 cut-hostname 10.229.5.2 32176: Jan 19 11:02:57: % SFF8472-5-THRESHOLD_VIOLATION --
Your Cisco gear is including sequence number in the timestamp which syslog-ng doesn't recognize.
That's the "32176: " prefix before the 2nd timestamp. If you disable that, it'll work.
I'm planning to add support for this field in the future.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Tue, 2010-01-19 at 13:16 +0100, Marty Sørensen wrote:
Hey Bazsi,
Thanks for the quick reply, great job/service.
Unforturnately it still doesnt work with the config i pasted: -- Jan 19 13:13:45 <hostname> : Jan 19 13:13:44: %SYS-5-CONFIG_I: Configured from console by <username> on vty0 (<ip>) --
There's a colon in the date after the seconds part: 'Jan 19 13:13:44:', is that really there as it is received from the Cisco box? It resembles most to this format as supported by syslog-ng: /* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */ However it seems to lack the year information. The currently supported date formats can be found in logmsg.c, log_msg_parse_date() function: /* RFC3339 timestamp, expected format: YYYY-MM-DDTHH:MM:SS[.frac]<+/->ZZ:ZZ */ /* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */ /* ASA timestamp, expected format: MMM DD YYYY HH:MM:SS */ /* LinkSys timestamp, expected format: MMM DD HH:MM:SS YYYY */ /* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */ You can enable year in the timestamp above with: # service timestamps year If I read this correctly: http://www.cisco.mn/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g07... The timestamp above would be fine, if there was no colon at the end. But there is, which causes syslog-ng to expect a year as well.
Martin
2010/1/19 Balazs Scheidler <bazsi@balabit.hu> On Tue, 2010-01-19 at 11:08 +0100, Marty Sørensen wrote: > Hello .... > > New user to syslog-ng but still hoping someone can help me with a > small config example > > Im forwarding syslog from my syslog-ng but when it arrives it has > double timestamps/hostname: > -- > Jan 19 11:02:58 cut-hostname 10.229.5.2 32176: Jan 19 11:02:57: % > SFF8472-5-THRESHOLD_VIOLATION > --
Your Cisco gear is including sequence number in the timestamp which syslog-ng doesn't recognize.
That's the "32176: " prefix before the 2nd timestamp. If you disable that, it'll work.
I'm planning to add support for this field in the future.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi
Hey, Thanks for the reply and the explaination. It not all IOS's/Cisco box's that support enabling of year in log e.g. Catalyst ME3400/4500 I can see that the log i now is getting like this, after i got some of my config to work: -- Message from syslogd@<syslog-ng sender> at Wed Jan 20 10:21:02 2010 ... <syslog-ng sender> Jan 20 10:21:01: %SYS-5-CONFIG_I: Configured from console by <user> on vty0 (<ip>)> -- Martin 2010/1/19 Balazs Scheidler <bazsi@balabit.hu>
On Tue, 2010-01-19 at 13:16 +0100, Marty Sørensen wrote:
Hey Bazsi,
Thanks for the quick reply, great job/service.
Unforturnately it still doesnt work with the config i pasted: -- Jan 19 13:13:45 <hostname> : Jan 19 13:13:44: %SYS-5-CONFIG_I: Configured from console by <username> on vty0 (<ip>) --
There's a colon in the date after the seconds part: 'Jan 19 13:13:44:', is that really there as it is received from the Cisco box?
It resembles most to this format as supported by syslog-ng:
/* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */
However it seems to lack the year information.
The currently supported date formats can be found in logmsg.c, log_msg_parse_date() function:
/* RFC3339 timestamp, expected format: YYYY-MM-DDTHH:MM:SS[.frac]<+/->ZZ:ZZ */ /* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */ /* ASA timestamp, expected format: MMM DD YYYY HH:MM:SS */ /* LinkSys timestamp, expected format: MMM DD HH:MM:SS YYYY */ /* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */
You can enable year in the timestamp above with:
# service timestamps year
If I read this correctly:
http://www.cisco.mn/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g07...
The timestamp above would be fine, if there was no colon at the end. But there is, which causes syslog-ng to expect a year as well.
Martin
2010/1/19 Balazs Scheidler <bazsi@balabit.hu> On Tue, 2010-01-19 at 11:08 +0100, Marty Sørensen wrote: > Hello .... > > New user to syslog-ng but still hoping someone can help me with a > small config example > > Im forwarding syslog from my syslog-ng but when it arrives it has > double timestamps/hostname: > -- > Jan 19 11:02:58 cut-hostname 10.229.5.2 32176: Jan 19 11:02:57: % > SFF8472-5-THRESHOLD_VIOLATION > --
Your Cisco gear is including sequence number in the timestamp which syslog-ng doesn't recognize.
That's the "32176: " prefix before the 2nd timestamp. If you disable that, it'll work.
I'm planning to add support for this field in the future.
-- Bazsi
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (3)
-
Balazs Scheidler
-
Martin Holste
-
Marty Sørensen