[syslog-ng] S_DATE apparently not working
Giulio Botto
madecto at sangria.org.il
Wed Jun 13 12:33:13 CEST 2007
Balazs Scheidler wrote:
> On Thu, 2007-06-07 at 11:57 +0200, Giulio Botto wrote:
>> Hello,
>>
>> I'm new to both syslog-ng and the list so I first tried the docs and archives,
>> but couldn't find anything enlightening.
>>
>> We have a syslog-ng 2.0.3 running on CentOS 5 and some Cisco PIX appliances
>> sending their logs to it.
>>
>> If my understanding is correct I should be receiving the sender's timestamp
>> and should be able to log it in my log files instead of the the receiving
>> timestamp by application of the S_DATE macro.
>
> If syslog-ng received an invalid timestamp or no timestamp, it generates
> a new value for S_DATE based on the local time.
>
> Can you post a sample log message as received by syslog-ng? a tcpdump or
> an strace dump with the string size set to a high value (-s 4096 for
> instance) could be helpful.
>
# tcpdump -s0 -x -X host 10.13.122.245
12:28:50.119966 IP 10.13.122.245.syslog > 10.13.102.12.syslog: SYSLOG
local7.info, length: 188
0x0000: 4500 00d8 fdf1 0000 fc11 cb07 0a0d 7af5 E.............z.
0x0010: 0a0d 660c 0202 0202 00c4 c214 3c31 3930 ..f.........<190
0x0020: 3e41 7072 2031 3520 3230 3037 2032 313a >Apr.15.2007.21:
0x0030: 3238 3a31 333a 2025 5049 582d 362d 3330 28:13:.%PIX-6-30
0x0040: 3230 3133 3a20 4275 696c 7420 6f75 7462 2013:.Built.outb
0x0050: 6f75 6e64 2054 4350 2063 6f6e 6e65 6374 ound.TCP.connect
0x0060: 696f 6e20 3136 3838 3534 3020 666f 7220 ion.1688540.for.
0x0070: 626c 6f6f 6d62 6572 672d 6e65 743a 3230 bloomberg-net:20
0x0080: 382e 3133 342e 3136 312e 3132 2f38 3239 8.134.161.12/829
0x0090: 3420 2832 3038 2e31 3334 2e31 3631 2e31 4.(208.134.161.1
0x00a0: 322f 3832 3934 2920 746f 2069 6e73 6964 2/8294).to.insid
0x00b0: 653a 3130 2e31 3736 2e33 312e 3234 2f33 e:10.176.31.24/3
0x00c0: 3636 3920 2831 302e 3137 362e 3331 2e32 669.(10.176.31.2
0x00d0: 342f 3336 3639 290a 4/3669).
12:28:50.223642 IP 10.13.122.245.syslog > 10.13.102.12.syslog: SYSLOG
local7.info, length: 178
0x0000: 4500 00ce fdf3 0000 fc11 cb0f 0a0d 7af5 E.............z.
0x0010: 0a0d 660c 0202 0202 00ba c26c 3c31 3930 ..f........l<190
0x0020: 3e41 7072 2031 3520 3230 3037 2032 313a >Apr.15.2007.21:
0x0030: 3238 3a31 333a 2025 5049 582d 362d 3330 28:13:.%PIX-6-30
0x0040: 3230 3134 3a20 5465 6172 646f 776e 2054 2014:.Teardown.T
0x0050: 4350 2063 6f6e 6e65 6374 696f 6e20 3136 CP.connection.16
0x0060: 3838 3433 3820 666f 7220 626c 6f6f 6d62 88438.for.bloomb
0x0070: 6572 672d 6e65 743a 3230 382e 3133 342e erg-net:208.134.
0x0080: 3136 312e 3132 2f38 3239 3420 746f 2069 161.12/8294.to.i
0x0090: 6e73 6964 653a 3130 2e31 3736 2e33 312e nside:10.176.31.
0x00a0: 3234 2f33 3633 3920 6475 7261 7469 6f6e 24/3639.duration
0x00b0: 2030 3a30 373a 3031 2062 7974 6573 2031 .0:07:01.bytes.1
0x00c0: 3639 3735 2054 4350 2046 494e 730a 6975.TCP.FINs.
12:28:52.667328 IP 10.13.122.245.syslog > 10.13.102.12.syslog: SYSLOG
local7.warning, length: 152
0x0000: 4500 00b4 fdfa 0000 fc11 cb22 0a0d 7af5 E.........."..z.
0x0010: 0a0d 660c 0202 0202 00a0 fdc4 3c31 3838 ..f.........<188
0x0020: 3e41 7072 2031 3520 3230 3037 2032 313a >Apr.15.2007.21:
0x0030: 3238 3a31 353a 2025 5049 582d 342d 3130 28:15:.%PIX-4-10
0x0040: 3630 3233 3a20 4465 6e79 2075 6470 2073 6023:.Deny.udp.s
0x0050: 7263 2062 6c6f 6f6d 6265 7267 2d6e 6574 rc.bloomberg-net
0x0060: 3a31 3939 2e31 3035 2e31 3831 2e35 302f :199.105.181.50/
0x0070: 3438 3133 3020 6473 7420 696e 7369 6465 48130.dst.inside
0x0080: 3a31 302e 3137 362e 3334 2e38 362f 3438 :10.176.34.86/48
0x0090: 3132 3920 6279 2061 6363 6573 732d 6772 129.by.access-gr
0x00a0: 6f75 7020 2242 4c4f 4f4d 4245 5247 2d4e oup."BLOOMBERG-N
0x00b0: 4554 220a ET".
TIA,
--
Giulio Botto -- madecto at sangria.org.il
PGP fingerprint = 1979 A78A 8F82 DB5E 55E9 D6D6 6AB6 0BA9 FDB7 6789
More information about the syslog-ng
mailing list