[syslog-ng] S_DATE apparently not working

Balazs Scheidler bazsi at balabit.hu
Wed Jun 13 13:35:06 CEST 2007 

On Wed, 2007-06-13 at 12:33 +0200, Giulio Botto wrote:
> Balazs Scheidler wrote:
> > On Thu, 2007-06-07 at 11:57 +0200, Giulio Botto wrote:
> >> Hello,
> >>
> >> I'm new to both syslog-ng and the list so I first tried the docs and archives,
> >> but couldn't find anything enlightening.
> >>
> >> We have a syslog-ng 2.0.3 running on CentOS 5 and some Cisco PIX appliances
> >> sending their logs to it.
> >>
> >> If my understanding is correct I should be receiving the sender's timestamp
> >> and should be able to log it in my log files instead of the the receiving
> >> timestamp by application of the S_DATE macro.
> > 
> > If syslog-ng received an invalid timestamp or no timestamp, it generates
> > a new value for S_DATE based on the local time.
> > 
> > Can you post a sample log message as received by syslog-ng? a tcpdump or
> > an strace dump with the string size set to a high value (-s 4096 for
> > instance) could be helpful.
> > 

PIX uses a funny timestamp, that syslog-ng could not understand. Can you
check if this patch fixes the issue:

--- a/src/logmsg.c
+++ b/src/logmsg.c
@@ -268,6 +268,32 @@ log_msg_parse(LogMessage *self, gchar *data, gint length, guint flags, regex_t *
       src += stamp_length;
       left -= stamp_length;
     }
+  else if (left >= 21 && src[3] == ' ' && src[6] == ' ' && src[11] == ' ' && src[14] == ':' && src[17] == ':' && src[20] == ':')
+    {
+      /* PIX timestamp, expected format: MMM DD YYYY HH:MM:SS: */
+
+      struct tm tm, *nowtm;
+
+      /* Just read the buffer data into a textual
+         datestamp. */
+
+      g_string_assign_len(&self->date, src, 21);
+      src += 21;
+      left -= 21;
+
+      /* And also make struct time timestamp for the msg */
+
+      nowtm = localtime(&now);
+      tm = *nowtm;
+      strptime(self->date.str, "%b %e %Y %H:%M:%S:", &tm);
+      tm.tm_isdst = -1;
+        
+      /* NOTE: no timezone information in the message, assume it is local time */
+      self->stamp.time.tv_sec = mktime(&tm);
+      self->stamp.time.tv_usec = 0;
+      self->stamp.zone_offset = get_local_timezone_ofs(self->stamp.time.tv_sec); /* assume local timezone */
+      
+    }
   else if (left >= 15 && src[3] == ' ' && src[6] == ' ' && src[9] == ':' && src[12] == ':')
     {
       /* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */


-- 
Bazsi

More information about the syslog-ng mailing list