[syslog-ng]Double timestamps cause DB issue

Jason Haar syslog-ng@lists.balabit.hu
Sat, 26 Apr 2003 23:20:36 +1200


On Fri, Apr 25, 2003 at 09:06:25PM +0200, Balazs Scheidler wrote:
> > SYSLOG:
> > SYSLOG:  "<172>Apr 25 2003 14:06:02: %PIX-4-106023: Deny tcp src insid"
> > SYSLOG:
> 
> as it seems the problem is caused by the bad date stamp. I might add support
> for this stamp if you are willing to test it.

Is it really needed? This "issue" is caused by Cisco routers. It is optional
to configure them to timestamp each syslog transmission themselves - instead
of relying on the Syslog server to do it - as all other syslog clients I've
ever come across do.

Personally, I think this Cisco "feature" sucks ;-) I trust the clock on the
Syslog server - I don't trust the clock on some remote router... 

I'd suggest that Robin fix up the Ciscos rather than "fix" syslog-ng when it
isn't broken...

If it is needed, at least make it optional so that you can choose to:

a) ignore it (old behaviour)
b) allow timestamp to override Syslog server timestamp (why would you ever want
                                                       this?)
c) skip the timestamp - so that the syslog record looks like the Cisco was
   correctly configured ;-) 
   
-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1