[syslog-ng] ts_format(iso) bug or misunderstanding?

Patrick Hemmer syslogng at stormcloud9.net
Fri Apr 6 04:10:02 CEST 2012 

Somewhere in between bug and misunderstanding. The bug would be in 
documentation, but the behavior is deliberate.
The reason is that when sending over the network to a syslog server, the 
server expects the message in a certain format. When you change the 
timestamp, that format is now invalid and the remote end might not be 
able to parse it.

Now you could put `ts_format(iso)` in the `tcp()` destination driver. 
But if your remote server is looking for a timestamp in ISO format, it 
probably supports the syslog message protocol 
<http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/concepts_message_ietfsyslog.html>, 
which uses ISO timestamps. Syslog-ng uses the syslog 
<http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_destination_syslog.html> 
destination driver for sending in this format.

The syslog message protocol looks like this:
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su 
root' failed for lonvick on /dev/pts/8


The forementioned bug in the documentation is that it says the tcp() 
destination driver ts_format uses the global ts_format setting. It doesnt.

-Patrick



Sent: Thu Apr 05 2012 21:31:54 GMT-0400 (EDT)
From: Chris Hiestand <chiestand at salk.edu>
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] ts_format(iso) bug or misunderstanding?
> So I'm using iso timezone format for my syslog clients: options { ... ts_format(iso); ... };
>
> I expected this to use the iso format for all syslog entries. However, I've found that it only uses
> iso format for local syslog entries. syslog entries sent to the syslog-ng collector are in old rfc3164
> format.
>
>> chiestand at host:~$ logger -t my-test asdlfkjasdfasdf
>
>
>
> which sends (3 local entries, 1 remote entry):
>> sudo strace -ff -p 13658
>> ...
>> write(10, "2012-04-05T18:14:37-07:00 host "..., 64) = 64
>> write(11, "2012-04-05T18:14:37-07:00 host "..., 64) = 64
>> write(9, "<13>Apr  5 18:25:09 host my-test"..., 58) = 58
>> write(14, "2012-04-05T18:14:37-07:00 host "..., 64) = 64
>
> or viewing with tcpdump:
>> chiestand at host:/var/log$ sudo tcpdump -A host syslog.server.salk.edu
>> ...
>> .va<13>Apr  5 18:20:31 host my-test: asdlfkjasdfasdf
>
> I would expect the iso format to be sent to the syslog-ng collector as well. Is this a bug or expected
> behavior? I checked bugzilla and debian bug tracker and didn't see anything.
>
> I'm running syslog-ng v3.1 on Debian squeeze.
>
> Thanks,
> Chris=
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120405/0436f08b/attachment-0001.htm

More information about the syslog-ng mailing list