[syslog-ng] Please Help problems with timezone and stamping !!

Guy Fleegman network.monger at gmail.com
Thu May 3 18:16:30 CEST 2007


Hello:

I have several sources that are all reporting to a syslog-ng 2.0.3 server
My source is

source all_routers { udp(ip(0.0.0.0) port(514));
};

My problem is that I have one source that is isolated to a separate file

I isolate the file with the following
filter f_pd_snort { host(intsnort1); };

and have this destination
destination d_pd_snort  { file("/var/log/syslog-ng-logs/pd_snort.1"
perm(0644) template(t_default)); };

then i use the following command
log { source(all_routers); filter(f_pd_snort); destination(d_pd_snort); };

The problem is the format the data is arriving in. It send data in UTC time
as follows
Apr 30 14:04:35 2007 intsnort1 SFIMS: [119:13:1] Snort Alert
[Classification: Unknown] [Priority: 3]
Apr 30 14:04:35 2007 intsnort1 SFIMS: [119:4:1] Snort Alert [Classification:
Unknown] [Priority: 3]
Apr 30 14:04:35 2007 intsnort1 SFIMS: [122:3:0] Snort Alert [Classification:
Unknown] [Priority: 3]

This is UTC. It is the time that is being sent in the actual packet (I
verified with wireshark)

I want syslog-ng to modify the times going into this file (and this file
only) to reflect EST time.

Based upon the documentation The following algorithm is used.


   1.

   The sender can specify the timezone of the messages. If the incoming
   message includes a timezone it is associated with the message. Otherwise,
   the local timezone is assumed.
   2.

   The administrator specifies the *time_zone()* <#sourcecommonopts>parameter
   for the source driver that reads the message. This parameter overrides the
   original timezone of the message. Each source defaults to the value of the
   *recv_time_zone()* <#reference_options>global option.
   3.

   The destination driver specifies the timezone via the *time_zone()*
   <#destcommonopts>parameter. Each destination driver might have an
   associated timezone value to which message timestamps are converted before
   they are sent to the final destination (file or network socket). Each
   destination defaults to the value of the *send_time_zone()*
   <#reference_options>global option. A message can be sent to multiple
   destination zones.
   4.

   When macro expansions are used in the destination filenames, the local
   timezone is used


So option #1 is not being done
I can't use #2 because my source is defined for all devices
I tried using #3.....  with the line modified as
destination d_pd_snort  { file("/var/log/syslog-ng-logs/pd_snort.1"
perm(0644) time_zone(-04:00) template(t_default)); };

However.. this does not seem to make any difference... Can you please tell
me  why option #3 is not working ....
and also... why is it that in #1 it is not defauling to just adding the
local timezone since the incoming message does not have a timezone
specified.

Please help and thank you :)


More information about the syslog-ng mailing list