[syslog-ng] RFC3339 fractional second logging

Balazs Scheidler bazsi at balabit.hu
Sun Feb 12 11:44:58 CET 2006 

On Sun, 2006-02-12 at 11:37 +0100, Balazs Scheidler wrote:
> On Fri, 2006-02-10 at 08:29 -0500, rlott at ivhs.com wrote:
> > Okay, I have this in my syslog-ng.conf:
> > 
> > options { dir_perm(0755); perm(0644); chain_hostnames(no);
> > ts_format("iso");
> >           keep_hostname(yes); };
> > ...
> > 
> > #
> > local0.debug                                          /var/log/ngr/ngr_3456_A.log
> > 
> > filter f_12 {
> >         facility(local0) and level(debug.emerg);
> > };
> > 
> > destination d_8 {
> >         file("/var/log/ngr/ngr_3456_A_$MONTH$DAY$YEAR.log"
> >         template("$R_ISODATE $HOST $MSG\n")
> >         template_escape(no)
> >         create_dirs(yes)
> >         );
> > };
> > 
> > log { source(local); filter(f_12); destination(d_8); };
> > 
> > And this is an entry from the corresponding log:
> > 
> > 2006-02-10T07:45:15-05:00 localhost <rest of message>
> > 
> > If the timestamp in this case is using the received timestamp, how is
> > this being transmitted/delivered?  Is it being done in ASCII and, if
> > so, is it possible that the fractional portions are not being
> > included? 
> 
> There are two timestamps per message:
> 1) the one in the message as received from the peer, it will never
> contain fractions except when the message was generated by syslog-ng and
> this information was also sent by using a custom template (syslog-ng
> tries to remain compatible with existing syslog devices by default, thus
> it does 

Sorry, I accidentaly pressed Send before finishing my last email.

So there are two timestamps per message:

1) the one in the message as received from the peer, it will never
contain fractions except when the message was generated by syslog-ng and
this information was also sent by using a custom template (syslog-ng
tries to remain compatible with existing syslog devices by default, thus
it does not send an extended timestamp) Macros referencing this timestamp 
begin with "S_" (for stamp)

2) the one assigned by syslog-ng when the message was received from the
peer. This should always contain fractions. These stamps begin with
"R_" (for received)

The prefixes might not be very intuitive, their naming is historical
heritage :)

Thus the example configuration that you sent above should indeed include
the time fractions, but not because the peer sends it, but because
syslog-ng generates R_ timestamps locally as the messages arrive.

However it does not work for some reason. Let me check it and get back
to you.

-- 
Bazsi

More information about the syslog-ng mailing list