sub-second time digits all 0
Hello, I am not getting non-zero sub-second timestamp digits. My /etc/syslog-ng/syslog-ng.conf file includes this global configuration: # First, set some global options. options { frac-digits(3); chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no); owner("root"); group("adm"); perm(0640); stats_freq(0); bad_hostname("^gconfd$"); }; My syslog-ng.conf also includes a sub-config file for sending the logs to a remote host, with this configuration: destination d_net { udp("loggerhost" port(30515) frac-digits(3) ); }; log { source(s_src); destination(d_net); }; But all sub-second timestamp digits wind up being only zeroes on the remote "loggerhost", like this: 2019-09-03T21:57:23.000+00:00 10.73.254.255 [info] [sshd] 3284 Accepted password for root from 10.72.0.186 port 50720 ssh2 The sending host is running syslog-ng 3.5.3. The receiving "loggerhost" is running 3.5.6 Thanks in advance for any help you can afford.
Hi John, Can you try it with another source? source s_test { network(transport(udp) port(9090)); }; ... log { source(s_src); source(s_test); destination(d_net); }; Then run: echo -n "test" >/dev/udp/localhost/9090 You can enable/disable wifi on your system, to generate kernel messages. To me the output looks like this: <13>Sep 4 08:50:32.370 127.0.0.1 test <13>Sep 4 08:50:33.010 127.0.0.1 test <13>Sep 4 08:50:33.425 127.0.0.1 test <13>Sep 4 08:50:33.746 127.0.0.1 test <13>Sep 4 08:50:34.066 127.0.0.1 test <13>Sep 4 08:50:34.658 127.0.0.1 test <13>Sep 4 08:50:35.026 127.0.0.1 test <13>Sep 4 08:50:35.314 127.0.0.1 test <13>Sep 4 08:50:35.666 127.0.0.1 test <85>Sep 4 08:50:36.000 alltilla-Precision-5530 su[30952]: pam_unix(su:auth): authentication failure; logname=alltilla uid=1001 euid=0 tty=/dev/pts/11 ruser=alltilla rhost= user=root <83>Sep 4 08:50:38.000 alltilla-Precision-5530 su[30952]: pam_authenticate: Authentication failure <6>Sep 4 08:52:47.691 alltilla-Precision-5530 kernel: IPv6: ADDRCONF(NETDEV_UP): wlp59s0: link is not ready <6>Sep 4 08:52:47.775 alltilla-Precision-5530 kernel: IPv6: ADDRCONF(NETDEV_UP): wlp59s0: link is not ready My su messages do not have sub-second times, either, but the test udp source, and wifi-generated kernel messages do have. I am testing this on 3.5.6 on an Ubuntu-Xenial machine. Although, there is some change about the frac-digits() behavior in 3.5.6, maybe 3.5.3 will have all zeros still. https://github.com/balabit/syslog-ng/commit/70d758fe40ad64f78e28e87b629c54fb... Thanks Szemere for the help! Best regards, Attila ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of John Chang <jchang@skytap.com> Sent: Wednesday, September 4, 2019 1:18 AM To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] sub-second time digits all 0 CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hello, I am not getting non-zero sub-second timestamp digits. My /etc/syslog-ng/syslog-ng.conf file includes this global configuration: # First, set some global options. options { frac-digits(3); chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no); owner("root"); group("adm"); perm(0640); stats_freq(0); bad_hostname("^gconfd$"); }; My syslog-ng.conf also includes a sub-config file for sending the logs to a remote host, with this configuration: destination d_net { udp("loggerhost" port(30515) frac-digits(3) ); }; log { source(s_src); destination(d_net); }; But all sub-second timestamp digits wind up being only zeroes on the remote "loggerhost", like this: 2019-09-03T21:57:23.000+00:00 10.73.254.255 [info] [sshd] 3284 Accepted password for root from 10.72.0.186 port 50720 ssh2 The sending host is running syslog-ng 3.5.3. The receiving "loggerhost" is running 3.5.6 Thanks in advance for any help you can afford.
Thanks for the advice. Testing as you advise I do get the sub second non-zero digits. Are you saying that the commit you reference fixes the problem in 3.5.6? On Tue, Sep 3, 2019 at 4:18 PM John Chang <jchang@skytap.com> wrote:
Hello, I am not getting non-zero sub-second timestamp digits. My /etc/syslog-ng/syslog-ng.conf file includes this global configuration:
# First, set some global options.
options { frac-digits(3); chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
owner("root"); group("adm"); perm(0640); stats_freq(0);
bad_hostname("^gconfd$");
};
My syslog-ng.conf also includes a sub-config file for sending the logs to a remote host, with this configuration:
destination d_net {
udp("loggerhost" port(30515) frac-digits(3) );
};
log { source(s_src); destination(d_net); };
But all sub-second timestamp digits wind up being only zeroes on the remote "loggerhost", like this:
2019-09-03T21:57:23.000+00:00 10.73.254.255 [info] [sshd] 3284 Accepted password for root from 10.72.0.186 port 50720 ssh2
The sending host is running syslog-ng 3.5.3. The receiving "loggerhost" is running 3.5.6 Thanks in advance for any help you can afford.
Hi John, It seems like, that su and sshd do not provide sub-second timestamp. There cannot be a fix for that from syslog-ng side. You can choose to discard the timestamps provided by the source, and use the timestamp for the log reception. The 'reception' timestamp has sub-second time information. Note, that the 'reception' timestamp can differ from the original timestamp. https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edit... May I ask you, if there is any particular reason, you are using 3.5.3? There are fresher releases, with a lot of new features and bugfixes. Best regards, Attila ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of John Chang <jchang@skytap.com> Sent: Wednesday, September 4, 2019 11:17 PM To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] sub-second time digits all 0 CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Thanks for the advice. Testing as you advise I do get the sub second non-zero digits. Are you saying that the commit you reference fixes the problem in 3.5.6? On Tue, Sep 3, 2019 at 4:18 PM John Chang <jchang@skytap.com<mailto:jchang@skytap.com>> wrote: Hello, I am not getting non-zero sub-second timestamp digits. My /etc/syslog-ng/syslog-ng.conf file includes this global configuration: # First, set some global options. options { frac-digits(3); chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no); owner("root"); group("adm"); perm(0640); stats_freq(0); bad_hostname("^gconfd$"); }; My syslog-ng.conf also includes a sub-config file for sending the logs to a remote host, with this configuration: destination d_net { udp("loggerhost" port(30515) frac-digits(3) ); }; log { source(s_src); destination(d_net); }; But all sub-second timestamp digits wind up being only zeroes on the remote "loggerhost", like this: 2019-09-03T21:57:23.000+00:00 10.73.254.255 [info] [sshd] 3284 Accepted password for root from 10.72.0.186 port 50720 ssh2 The sending host is running syslog-ng 3.5.3. The receiving "loggerhost" is running 3.5.6 Thanks in advance for any help you can afford.
participants (2)
-
Attila Szakacs (aszakacs)
-
John Chang