[syslog-ng]use_time_recvd() not working?

Trapp, Michael syslog-ng@lists.balabit.hu
Wed, 30 Jun 2004 17:03:51 +0200 

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C45EB3.74257177
Content-Type: text/plain

hi jonathan,
 
have a look at 
 
https://lists.balabit.hu/pipermail/syslog-ng/2002-September/003874.html <https://lists.balabit.hu/pipermail/syslog-ng/2002-September/003874.html> 
 
regards
michael

-----Original Message-----
From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Hall J D (ISeLS)
Sent: Mittwoch, 30. Juni 2004 16:53
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]use_time_recvd() not working?



Hello all, 

I've recently installed Syslog-ng 1.6.2 on a FreeBSD 4.9 to act as my new collector and I can't get the use_time_recvd() option to work properly.

No matter if I specify  use_time_recvd(yes) or  use_time_recvd(no) the messages, from a Cisco PIX firewall, are still getting recorded with the time from the message and not the local time.

Is this a know issue, or am I doing something really silly? 

Below are the relevant bits from my config 

Thanks, 

Jonathan 



options { long_hostnames(off); sync(0); use_time_recvd(yes); 
                create_dirs(yes); dir_perm(0750); }; 

source net {    udp(ip(193.63.147.98) port(514)); 
                tcp(ip(193.63.147.98) port(1740) keep-alive(yes)); }; 

destination fwall { file("/var/log/firewalls/$HOST.$YEAR.$MONTH.$DAY.log" 
                        perm(0640)); }; 

filter f_pixmsg { match("%PIX"); }; 

filter f_local0 { facility(local0); }; 

log { source(net); filter(f_local0); filter(f_pixmsg); destination(fwall); }; 


------_=_NextPart_001_01C45EB3.74257177
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D694110015-30062004>hi=20
jonathan,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D694110015-30062004></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D694110015-30062004>have a=20
look at </SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D694110015-30062004></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D694110015-30062004><A=20
href=3D"https://lists.balabit.hu/pipermail/syslog-ng/2002-September/0038=
74.html">https://lists.balabit.hu/pipermail/syslog-ng/2002-September/003=
874.html</A></SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D694110015-30062004></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D694110015-30062004>regards</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D694110015-30062004>michael</SPAN></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
  <DIV></DIV>
  <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
  face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
  syslog-ng-admin@lists.balabit.hu =
[mailto:syslog-ng-admin@lists.balabit.hu]=20
  <B>On Behalf Of </B>Hall J D (ISeLS)<BR><B>Sent:</B> Mittwoch, 30. =
Juni 2004=20
  16:53<BR><B>To:</B> syslog-ng@lists.balabit.hu<BR><B>Subject:</B>=20
  [syslog-ng]use_time_recvd() not working?<BR><BR></FONT></DIV><!-- =
Converted from text/rtf format -->
  <P><FONT face=3DArial size=3D2>Hello all,</FONT> </P>
  <P><FONT face=3DArial size=3D2>I've recently installed Syslog-ng =
1.6.2 on a=20
  FreeBSD 4.9 to act as my new collector and I can't get the =
use_time_recvd()=20
  option to work properly.</FONT></P>
  <P><FONT face=3DArial size=3D2>No matter if I specify&nbsp; =
use_time_recvd(yes)=20
  or&nbsp; use_time_recvd(no) the messages, from a Cisco PIX firewall, =
are still=20
  getting recorded with the time from the message and not the local=20
  time.</FONT></P>
  <P><FONT face=3DArial size=3D2>Is this a know issue, or am I doing =
something=20
  really silly?</FONT> </P>
  <P><FONT face=3DArial size=3D2>Below are the relevant bits from my =
config</FONT>=20
  </P>
  <P><FONT face=3DArial size=3D2>Thanks,</FONT> </P>
  <P><FONT face=3DArial size=3D2>Jonathan</FONT> </P><BR><BR>
  <P><FONT face=3DArial size=3D2>options { long_hostnames(off); =
sync(0);=20
  use_time_recvd(yes);</FONT> <BR><FONT face=3DArial=20
  =
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;=20
  create_dirs(yes); dir_perm(0750); };</FONT> </P>
  <P><FONT face=3DArial size=3D2>source net {&nbsp;&nbsp;&nbsp;=20
  udp(ip(193.63.147.98) port(514));</FONT> <BR><FONT face=3DArial=20
  =
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;=20
  tcp(ip(193.63.147.98) port(1740) keep-alive(yes)); };</FONT> </P>
  <P><FONT face=3DArial size=3D2>destination fwall {=20
  file("/var/log/firewalls/$HOST.$YEAR.$MONTH.$DAY.log"</FONT> =
<BR><FONT=20
  face=3DArial=20
  =
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;=20
  perm(0640)); };</FONT> </P>
  <P><FONT face=3DArial size=3D2>filter f_pixmsg { match("%PIX"); =
};</FONT> </P>
  <P><FONT face=3DArial size=3D2>filter f_local0 { facility(local0); =
};</FONT> </P>
  <P><FONT face=3DArial size=3D2>log { source(net); filter(f_local0);=20
  filter(f_pixmsg); destination(fwall); };</FONT> </P></BLOCKQUOTE></BOD=
Y></HTML>

------_=_NextPart_001_01C45EB3.74257177--