[syslog-ng]Anyone using swatch with R_ISODATE set?
Jason Haar
syslog-ng@lists.balabit.hu
Tue, 25 Feb 2003 09:24:24 +1300
Hi there
I'm using swatch 3.1beta and it's throttling option isn't too happy about me
using R_ISODATE in my syslogs.
i.e.
2003-02-24T20:21:17+0000 server.name mail info qmail: 1046118077.034427
status: local 0/10 remote 0/100
As you can see, I've put all possible information about each syslog record
in: UTC timestamped, plus facility and priority.
Anyway, swatch doesn't like that timestamp format and probably doesn't like
the rest either. I've tried using the new perl_code option to remap how it
matches, but it looks like it didn't expect anyone to be screwing around
with the timestamp so much :-)
Anyone else got it to work? At the moment I'm having to pump the syslogs
through a prefilter to convert back into "standard" syslog format to keep
swatch happy - it works, but a hack is a hack...
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1