[syslog-ng]use_time_recvd() not working?
Hall J D (ISeLS)
syslog-ng@lists.balabit.hu
Thu, 1 Jul 2004 15:09:47 +0100
This is a multi-part message in MIME format.
------_=_NextPart_001_01C45F75.10D48776
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thanks to Michael pointing me at the mail archive I now understand that =
use_time_recvd() only applies to macros used in filename expansion and =
logformat templates.
=20
So to get the behaviour I was expecting, that use_time_recvd(yes) would =
effect the "default" template, I need to define a template for my =
destination. Would template("$DATE $HOST $MSG\n") cover it?
=20
While looking through the mail archives I saw mention of many other =
macros, R_DATE, S_DATE etc., which don't appear in the documentation. Do =
these still exist and if so what do they do? Are they left out of the =
documentation for a reason?
=20
Thanks again,
=20
Jonathan
=20
-----Original Message-----
From: Trapp, Michael [mailto:michael.trapp@sap.com]
Sent: 30 June 2004 16:04
To: Hall J D (ISeLS)
Cc: 'syslog-ng@lists.balabit.hu'
Subject: RE: [syslog-ng]use_time_recvd() not working?
hi jonathan,
=20
have a look at=20
=20
https://lists.balabit.hu/pipermail/syslog-ng/2002-September/003874.html
=20
regards
michael
-----Original Message-----
From: syslog-ng-admin@lists.balabit.hu =
[mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Hall J D (ISeLS)
Sent: Mittwoch, 30. Juni 2004 16:53
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]use_time_recvd() not working?
Hello all,=20
I've recently installed Syslog-ng 1.6.2 on a FreeBSD 4.9 to act as my =
new collector and I can't get the use_time_recvd() option to work =
properly.
No matter if I specify use_time_recvd(yes) or use_time_recvd(no) the =
messages, from a Cisco PIX firewall, are still getting recorded with the =
time from the message and not the local time.
Is this a know issue, or am I doing something really silly?=20
Below are the relevant bits from my config=20
Thanks,=20
Jonathan=20
options { long_hostnames(off); sync(0); use_time_recvd(yes);=20
create_dirs(yes); dir_perm(0750); };=20
source net { udp(ip(193.63.147.98) port(514));=20
tcp(ip(193.63.147.98) port(1740) keep-alive(yes)); };=20
destination fwall { =
file("/var/log/firewalls/$HOST.$YEAR.$MONTH.$DAY.log"=20
perm(0640)); };=20
filter f_pixmsg { match("%PIX"); };=20
filter f_local0 { facility(local0); };=20
log { source(net); filter(f_local0); filter(f_pixmsg); =
destination(fwall); };=20
------_=_NextPart_001_01C45F75.10D48776
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<TITLE>Message</TITLE>
<META content=3D"MSHTML 5.00.3813.800" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D409355513-01072004>Thanks=20
to Michael pointing me at the mail archive I now understand that=20
use_time_recvd() only applies to macros used in filename expansion and =
logformat=20
templates.</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D409355513-01072004></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D409355513-01072004>So to=20
get the behaviour I was expecting, that use_time_recvd(yes) would effect =
the=20
"default" template, I need to define a template for my =
destination. Would=20
template("$DATE $HOST $MSG\n") cover it?</SPAN></FONT></DIV>
<DIV><SPAN class=3D409355513-01072004></SPAN><FONT face=3DTahoma><FONT =
size=3D2><SPAN=20
class=3D409355513-01072004><FONT color=3D#0000ff=20
face=3DArial> </FONT></SPAN></FONT></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D409355513-01072004>While=20
looking through the mail archives I saw mention of many other macros, =
R_DATE,=20
S_DATE etc., which don't appear in the documentation. Do these still =
exist and=20
if so what do they do? Are they left out of the documentation for a=20
reason?</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D409355513-01072004></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D409355513-01072004>Thanks=20
again,</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D409355513-01072004></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D409355513-01072004>Jonathan</SPAN></FONT></DIV>
<DIV><FONT face=3DTahoma><FONT size=3D2><SPAN=20
class=3D409355513-01072004></SPAN></FONT></FONT> </DIV>
<DIV><FONT face=3DTahoma><FONT size=3D2><SPAN=20
class=3D409355513-01072004> </SPAN>-----Original =
Message-----<BR><B>From:</B>=20
Trapp, Michael [mailto:michael.trapp@sap.com]<BR><B>Sent:</B> 30 June =
2004=20
16:04<BR><B>To:</B> Hall J D (ISeLS)<BR><B>Cc:</B>=20
'syslog-ng@lists.balabit.hu'<BR><B>Subject:</B> RE: =
[syslog-ng]use_time_recvd()=20
not working?<BR><BR></DIV></FONT>
<BLOCKQUOTE dir=3Dltr=20
style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: =
0px; PADDING-LEFT: 5px"></FONT>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D694110015-30062004>hi=20
jonathan,</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D694110015-30062004></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D694110015-30062004>have=20
a look at </SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D694110015-30062004></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D694110015-30062004><A=20
=
href=3D"https://lists.balabit.hu/pipermail/syslog-ng/2002-September/00387=
4.html">https://lists.balabit.hu/pipermail/syslog-ng/2002-September/00387=
4.html</A></SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D694110015-30062004></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D694110015-30062004>regards</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D694110015-30062004>michael</SPAN></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; =
MARGIN-RIGHT: 0px; PADDING-LEFT: 5px">
<DIV></DIV>
<DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr =
lang=3Den-us><FONT=20
face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
syslog-ng-admin@lists.balabit.hu =
[mailto:syslog-ng-admin@lists.balabit.hu]=20
<B>On Behalf Of </B>Hall J D (ISeLS)<BR><B>Sent:</B> Mittwoch, 30. =
Juni 2004=20
16:53<BR><B>To:</B> syslog-ng@lists.balabit.hu<BR><B>Subject:</B>=20
[syslog-ng]use_time_recvd() not working?<BR><BR></FONT></DIV><!-- =
Converted from text/rtf format -->
<P><FONT face=3DArial size=3D2>Hello all,</FONT> </P>
<P><FONT face=3DArial size=3D2>I've recently installed Syslog-ng =
1.6.2 on a=20
FreeBSD 4.9 to act as my new collector and I can't get the =
use_time_recvd()=20
option to work properly.</FONT></P>
<P><FONT face=3DArial size=3D2>No matter if I specify =
use_time_recvd(yes)=20
or use_time_recvd(no) the messages, from a Cisco PIX firewall, =
are=20
still getting recorded with the time from the message and not the =
local=20
time.</FONT></P>
<P><FONT face=3DArial size=3D2>Is this a know issue, or am I doing =
something=20
really silly?</FONT> </P>
<P><FONT face=3DArial size=3D2>Below are the relevant bits from my =
config</FONT>=20
</P>
<P><FONT face=3DArial size=3D2>Thanks,</FONT> </P>
<P><FONT face=3DArial size=3D2>Jonathan</FONT> </P><BR><BR>
<P><FONT face=3DArial size=3D2>options { long_hostnames(off); =
sync(0);=20
use_time_recvd(yes);</FONT> <BR><FONT face=3DArial=20
=
size=3D2> &nbs=
p; =20
create_dirs(yes); dir_perm(0750); };</FONT> </P>
<P><FONT face=3DArial size=3D2>source net { =20
udp(ip(193.63.147.98) port(514));</FONT> <BR><FONT face=3DArial=20
=
size=3D2> &nbs=
p; =20
tcp(ip(193.63.147.98) port(1740) keep-alive(yes)); };</FONT> </P>
<P><FONT face=3DArial size=3D2>destination fwall {=20
file("/var/log/firewalls/$HOST.$YEAR.$MONTH.$DAY.log"</FONT> =
<BR><FONT=20
face=3DArial=20
=
size=3D2> &nbs=
p;  =
;=20
perm(0640)); };</FONT> </P>
<P><FONT face=3DArial size=3D2>filter f_pixmsg { match("%PIX"); =
};</FONT> </P>
<P><FONT face=3DArial size=3D2>filter f_local0 { facility(local0); =
};</FONT>=20
</P>
<P><FONT face=3DArial size=3D2>log { source(net); filter(f_local0);=20
filter(f_pixmsg); destination(fwall); };</FONT>=20
</P></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C45F75.10D48776--