[syslog-ng] datetime stamp of syslog-ng...

Balazs Scheidler bazsi at balabit.hu
Wed Jan 2 09:51:27 CET 2008


On Wed, 2008-01-02 at 09:45 +0530, Anant Athavale wrote:
> Dear List,
> 
> I am redirecting a system log of one server to a centralized log  
> server running syslog-ng.   When we redirect, syslog-ng adds its own  
> datetime stamp before the actual log entry for each line.  Due to  
> this, one of the log processing software does not recognize the format  
> and does not generate any reports.  If I remove those 4 fields (Month  
> Name, Date, Year and IP address) for ex: Jan 2 2008 10.10.10.10  (here  
> 10.10.10.10 is the IP address of the system whose logs are getting  
> stored in central log server) that log processing software works as  
> expected and generates report.
> 
> Is it possible that, I can block those fields getting recorded.  If  
> yes, how? and if not, what is the alternative?

Syslog-ng tries to parse the time stamp of the original message, and if
it is not in a proper format, it assumes the timestamp is part of the
message itself and adds a complete syslog header, that's why you see
that a timestamp is prepended.

Can you show us an example of the original message?

Once the timestamp is parsed syslog-ng regenerates it according to the
template used and the ts_format() global option.


-- 
Bazsi



More information about the syslog-ng mailing list