[syslog-ng] v3.0.8: How to logging messages with non-rfc timestamps?

[Sergey V. Lobanov]

On 09/02/2010 07:41 PM, Balazs Scheidler wrote:
> On Sun, 2010-08-29 at 17:27 +0400, Sergey V.Lobanov wrote:
>    
>> I'm using syslog-ng v3.0.8(OSE) for logging messages from remote devices. There is a host which sends messages with incorrect timestamp format, for example "Jan 19 15:52:7". Syslog-ng does not store the first word in timestamp via macros $MSGHDR.
>>
>> For example:
>> $ echo "<134>Jan 19 15:52:7 test" | nc -u 192.168.3.142 514
>> ^C
>>
>> But log file does not contains the word 'Jan':
>> Aug 29 16:49:10 10.147.0.202 10.147.0.202 19 15:52:7 test
>>
>> Configuration file:
>> @version: 3.0
>> options {
>>      use_dns(yes);
>> };
>> source src_remote
>> {
>>          udp(ip("0.0.0.0") port(514) flags(store-legacy-msghdr));
>>          tcp(ip("0.0.0.0") port(514) flags(store-legacy-msghdr));
>> };
>> template t_remote {template("$DATE $SOURCEIP $HOST_FROM $MSGHDR$MESSAGE\n"); template_escape(no); };
>> destination remoteall { file("/var/log/all-remote.log" template(t_remote));  };
>> log { source(src_remote); destination(remoteall); };
>>
>>
>> How can I store the original timestamp from the remote host?
>>      
> Well, I can't really see a solution right now, other than to modify the
> hand-crafter parser in the syslog-ng source code (logmsg.c,
> log_msg_parse_date)
>
> In 3.2, there's a "format" plugin that is responsible for converting
> textual log records to its internal representation, which would also
> require C coding but you could avoid changing the general case.
>
>    
Thanks, I'll use syslog-ng v3.2 if the manufacter of these devices will 
not fix this bug in next version of firmware.

-- 
wbr,
Sergey V. Lobanov