[syslog-ng]Double timestamps cause DB issue

Sat, 26 Apr 2003 15:29:19 +0200

On Sat, Apr 26, 2003 at 11:20:36PM +1200, Jason Haar wrote:
> On Fri, Apr 25, 2003 at 09:06:25PM +0200, Balazs Scheidler wrote:
> > > SYSLOG:
> > > SYSLOG:  "<172>Apr 25 2003 14:06:02: %PIX-4-106023: Deny tcp src insid"
> > > SYSLOG:
> > 
> > as it seems the problem is caused by the bad date stamp. I might add support
> > for this stamp if you are willing to test it.
> 
> Is it really needed? This "issue" is caused by Cisco routers. It is optional
> to configure them to timestamp each syslog transmission themselves - instead
> of relying on the Syslog server to do it - as all other syslog clients I've
> ever come across do.
> 
> Personally, I think this Cisco "feature" sucks ;-) I trust the clock on the
> Syslog server - I don't trust the clock on some remote router... 
> 
> I'd suggest that Robin fix up the Ciscos rather than "fix" syslog-ng when it
> isn't broken...
> 
> If it is needed, at least make it optional so that you can choose to:
> 
> a) ignore it (old behaviour)
> b) allow timestamp to override Syslog server timestamp (why would you ever want
>                                                        this?)
> c) skip the timestamp - so that the syslog record looks like the Cisco was
>    correctly configured ;-) 

it is already possible to override the sender's timestamp by using the
use_time_recvd() global option (which affects macro expansion), or one of
the time macros prefixed by 'S_'

e.g.

destination router_logs { file("/var/log/messages" template("$DATE $HOST $MSG\n"); };

outputs the timestamp as received from the sender when use_time_recvd = no,
and the server's timestamp when use_time_recvd = yes.

But you can refer to these properties of the messages directly by either
using the R_DATE or the S_DATE macros.

The possibility to recognize sent timestamps (while allowing to override it)
is good IMHO.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1