[syslog-ng] datetime stamp of syslog-ng...
Anant Athavale
asa at isac.gov.in
Wed Jan 2 10:32:50 CET 2008
----- Message from bazsi at balabit.hu ---------
Date: Wed, 02 Jan 2008 09:51:27 +0100
From: Balazs Scheidler <bazsi at balabit.hu>
Reply-To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] datetime stamp of syslog-ng...
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu>
>
> On Wed, 2008-01-02 at 09:45 +0530, Anant Athavale wrote:
>> Dear List,
>>
>> I am redirecting a system log of one server to a centralized log
>> server running syslog-ng. When we redirect, syslog-ng adds its own
>> datetime stamp before the actual log entry for each line. Due to
>> this, one of the log processing software does not recognize the format
>> and does not generate any reports. If I remove those 4 fields (Month
>> Name, Date, Year and IP address) for ex: Jan 2 2008 10.10.10.10 (here
>> 10.10.10.10 is the IP address of the system whose logs are getting
>> stored in central log server) that log processing software works as
>> expected and generates report.
>>
>> Is it possible that, I can block those fields getting recorded. If
>> yes, how? and if not, what is the alternative?
>
> Syslog-ng tries to parse the time stamp of the original message, and if
> it is not in a proper format, it assumes the timestamp is part of the
> message itself and adds a complete syslog header, that's why you see
> that a timestamp is prepended.
>
> Can you show us an example of the original message?
Here is the sample log entry.
Jan 2 14:49:07 10.21.3.4 2008-01-02 09:06:27 80 10.21.3.58
RAGHAVENDRA%20B%20KULKARNI - - PROXIED "none"
http://www.ndtv.com/convergence/ndtv/images/site/swfs/tickerdotcomnew.swf
200 TCP_NC_MISS GET text/html http www.ndtv.com 80
/convergence/ndtv/miscfiles/desktoptickernewfuture.asp
?condition=0&ch=Wed%20Jan%202%2014:34:35%20GMT+0530%202008 asp
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; IEMB3; IEMB3)" 10.21.3.4 1804 863 -
Jan 2 14:49:07 10.21.3.4 2008-01-02 09:06:27 1 10.21.3.58
RAGHAVENDRA%20B%20KULKARNI - - PROXIED "none"
http://www.ndtv.com/convergence/ndtv/default.aspx 304 TCP_HIT GET
application/x-javascript http www.ndtv.com 80
/convergence/ndtv/include/video.js - js "Mozilla/4.0 (compatible; MSIE
7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; IEMB3;
IEMB3)" 10.21.3.4 319 847 -
>
> Once the timestamp is parsed syslog-ng regenerates it according to the
> template used and the ts_format() global option.
Can I force syslog-ng to not add its own timestamp?
>
>
> --
> Bazsi
>
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
----- End message from bazsi at balabit.hu -----
Regards,
Anant Athavale.
More information about the syslog-ng
mailing list