[syslog-ng] v3.0.8: How to logging messages with non-rfc timestamps?
Balazs Scheidler
bazsi at balabit.hu
Thu Sep 2 17:41:56 CEST 2010
On Sun, 2010-08-29 at 17:27 +0400, Sergey V.Lobanov wrote:
> I'm using syslog-ng v3.0.8(OSE) for logging messages from remote devices. There is a host which sends messages with incorrect timestamp format, for example "Jan 19 15:52:7". Syslog-ng does not store the first word in timestamp via macros $MSGHDR.
>
> For example:
> $ echo "<134>Jan 19 15:52:7 test" | nc -u 192.168.3.142 514
> ^C
>
> But log file does not contains the word 'Jan':
> Aug 29 16:49:10 10.147.0.202 10.147.0.202 19 15:52:7 test
>
> Configuration file:
> @version: 3.0
> options {
> use_dns(yes);
> };
> source src_remote
> {
> udp(ip("0.0.0.0") port(514) flags(store-legacy-msghdr));
> tcp(ip("0.0.0.0") port(514) flags(store-legacy-msghdr));
> };
> template t_remote {template("$DATE $SOURCEIP $HOST_FROM $MSGHDR$MESSAGE\n"); template_escape(no); };
> destination remoteall { file("/var/log/all-remote.log" template(t_remote)); };
> log { source(src_remote); destination(remoteall); };
>
>
> How can I store the original timestamp from the remote host?
Well, I can't really see a solution right now, other than to modify the
hand-crafter parser in the syslog-ng source code (logmsg.c,
log_msg_parse_date)
In 3.2, there's a "format" plugin that is responsible for converting
textual log records to its internal representation, which would also
require C coding but you could avoid changing the general case.
--
Bazsi
More information about the syslog-ng
mailing list