[syslog-ng] syslog-ng logging with wrong year

Evan Rempel erempel at uvic.ca
Wed Apr 9 21:32:48 CEST 2008 

Balazs Scheidler wrote:
> On Wed, 2008-04-09 at 09:20 -0400, Jean-Sebastien Pilon wrote:
>>> And in addition, the timestamp of the message does not contain a year,
>>> there's a heuristic in syslog-ng to determine that.
>>>
>>> Here's the heuristic used:
>>>
>>>       tm.tm_year = nowtm.tm_year;
>>>       if (tm.tm_mon > nowtm.tm_mon)
>>>         tm.tm_year--;
>>>
>>> E.g. if the current month is smaller than the month in the timestamp,
>>> syslog-ng assumes that it comes from the previous year. Hmm... Maybe
>>> this heuristic would be better:
>>>
>>>       tm.tm_year = nowtm.tm_year;
>>>       if (tm.tm_mon == 11 && nowtm.tm_mon == 0)
>>>         tm.tm_year--;
>>>
>>> E.g. the year is decreased only if the receiver's time is in January,
>>> and the sender came in as December. This would not handle really
>> skewed
>>> timestamps, but your case would be covered.
>>>
>>> I'm reluctant to change this in 2.0 (the current algorithm has been in
>>> place for about a decade now), however I can commit a patch to 2.1.
>> What
>>> do others think?
>>>
>>> And a side-note: the best solution is to use a timestamp that actually
>>> includes the year information, like ISODATE.
>>
>> How can I set ISODATE?
> 
> You should use a template to override the format that syslog-ng uses by
> default, like:
> 
> destination d1 { tcp("host" template("<$PRI>$ISODATE $HOST $MSG\n"); };
> 
> On the client. On the server no changes are necessary it will autodetect
> the timestamp as received from the network.


Except that when I try to use the $ISODATE in the "on the wire" tcp connection
in syslog-ng 2.0.8 (both ends) syslog-ng didn't parse the message correctly at all.
It behaved just like there was no time or host in the message at all.

template accounting        { template("<030>$R_ISODATE $HOST dsmacct: UVIC_ADM1: $MSG\n"); template_escape(no); };

options {
         sync(0);
         log_fifo_size(100000);
         use_fqdn(yes);
         keep_hostname(no);
         chain_hostnames(no);
         time_reap(60);
         time_reopen(5);
};

I just switched to $R_DATE and all works. I assumed that the ISODATE was just not handled by syslog-ng
on an incoming connection as it is well outside the RFC.

Evan.



-- 
Evan Rempel                erempel at uvic.ca
Senior Programmer Analyst        250.721.7691
Computing Services
University of Victoria

More information about the syslog-ng mailing list