v3.0.8: How to logging messages with non-rfc timestamps?
I'm using syslog-ng v3.0.8(OSE) for logging messages from remote devices. There is a host which sends messages with incorrect timestamp format, for example "Jan 19 15:52:7". Syslog-ng does not store the first word in timestamp via macros $MSGHDR. For example: $ echo "<134>Jan 19 15:52:7 test" | nc -u 192.168.3.142 514 ^C But log file does not contains the word 'Jan': Aug 29 16:49:10 10.147.0.202 10.147.0.202 19 15:52:7 test Configuration file: @version: 3.0 options { use_dns(yes); }; source src_remote { udp(ip("0.0.0.0") port(514) flags(store-legacy-msghdr)); tcp(ip("0.0.0.0") port(514) flags(store-legacy-msghdr)); }; template t_remote {template("$DATE $SOURCEIP $HOST_FROM $MSGHDR$MESSAGE\n"); template_escape(no); }; destination remoteall { file("/var/log/all-remote.log" template(t_remote)); }; log { source(src_remote); destination(remoteall); }; How can I store the original timestamp from the remote host? -- wbr, Sergey V. Lobanov
On Sun, 2010-08-29 at 17:27 +0400, Sergey V.Lobanov wrote:
I'm using syslog-ng v3.0.8(OSE) for logging messages from remote devices. There is a host which sends messages with incorrect timestamp format, for example "Jan 19 15:52:7". Syslog-ng does not store the first word in timestamp via macros $MSGHDR.
For example: $ echo "<134>Jan 19 15:52:7 test" | nc -u 192.168.3.142 514 ^C
But log file does not contains the word 'Jan': Aug 29 16:49:10 10.147.0.202 10.147.0.202 19 15:52:7 test
Configuration file: @version: 3.0 options { use_dns(yes); }; source src_remote { udp(ip("0.0.0.0") port(514) flags(store-legacy-msghdr)); tcp(ip("0.0.0.0") port(514) flags(store-legacy-msghdr)); }; template t_remote {template("$DATE $SOURCEIP $HOST_FROM $MSGHDR$MESSAGE\n"); template_escape(no); }; destination remoteall { file("/var/log/all-remote.log" template(t_remote)); }; log { source(src_remote); destination(remoteall); };
How can I store the original timestamp from the remote host?
Well, I can't really see a solution right now, other than to modify the hand-crafter parser in the syslog-ng source code (logmsg.c, log_msg_parse_date) In 3.2, there's a "format" plugin that is responsible for converting textual log records to its internal representation, which would also require C coding but you could avoid changing the general case. -- Bazsi
On 09/02/2010 07:41 PM, Balazs Scheidler wrote:
On Sun, 2010-08-29 at 17:27 +0400, Sergey V.Lobanov wrote:
I'm using syslog-ng v3.0.8(OSE) for logging messages from remote devices. There is a host which sends messages with incorrect timestamp format, for example "Jan 19 15:52:7". Syslog-ng does not store the first word in timestamp via macros $MSGHDR.
For example: $ echo "<134>Jan 19 15:52:7 test" | nc -u 192.168.3.142 514 ^C
But log file does not contains the word 'Jan': Aug 29 16:49:10 10.147.0.202 10.147.0.202 19 15:52:7 test
Configuration file: @version: 3.0 options { use_dns(yes); }; source src_remote { udp(ip("0.0.0.0") port(514) flags(store-legacy-msghdr)); tcp(ip("0.0.0.0") port(514) flags(store-legacy-msghdr)); }; template t_remote {template("$DATE $SOURCEIP $HOST_FROM $MSGHDR$MESSAGE\n"); template_escape(no); }; destination remoteall { file("/var/log/all-remote.log" template(t_remote)); }; log { source(src_remote); destination(remoteall); };
How can I store the original timestamp from the remote host?
Well, I can't really see a solution right now, other than to modify the hand-crafter parser in the syslog-ng source code (logmsg.c, log_msg_parse_date)
In 3.2, there's a "format" plugin that is responsible for converting textual log records to its internal representation, which would also require C coding but you could avoid changing the general case.
Thanks, I'll use syslog-ng v3.2 if the manufacter of these devices will not fix this bug in next version of firmware. -- wbr, Sergey V. Lobanov
participants (2)
-
Balazs Scheidler
-
Sergey V. Lobanov