[syslog-ng] ts_format(iso) bug or misunderstanding?

Chris Hiestand chiestand at salk.edu
Fri Apr 6 10:40:07 CEST 2012 

Thank you very much for your reply Patrick, that was very helpful.

I have downloaded syslog-ng v3.3 (Debian Wheezy) just to get the latest, and I'm still having a problem.

Based in your advice, I was able to successfully get the iso ts_format if I use the syslog() destination driver. However, if I use the tcp() destination driver, I still cannot get iso ts_format. syslog-ng ignores my parameter and sends old style timestamps.

my driver:
> destination My_Syslog { tcp("syslog.server.salk.edu" port(514) ts_format(iso) ); };
> log { source(s_src); destination(My_Syslog); };


tcpdump:
> @.m..<hw<86>Apr  6 01:24:01 host CRON[1923]: pam_unix(cron:session): session closed for user root

In fact, I have tried all variations of ts_format (rfc3164, bsd, rfc3339, iso) and I always get the same result.

Eventually I will switch to the syslog message protocol, so this is not a show-stopper. But not getting something
to work as advertised is still troubling.

Could I be missing something else? Or might we be in bug/documentation bug territory?

Thanks,
Chris



On Apr 5, 2012, at 7:10 PM, Patrick Hemmer wrote:

> Somewhere in between bug and misunderstanding. The bug would be in documentation, but the behavior is deliberate.
> The reason is that when sending over the network to a syslog server, the server expects the message in a certain format. When you change the timestamp, that format is now invalid and the remote end might not be able to parse it.
> 
> Now you could put `ts_format(iso)` in the `tcp()` destination driver. But if your remote server is looking for a timestamp in ISO format, it probably supports the syslog message protocol, which uses ISO timestamps. Syslog-ng uses the syslog destination driver for sending in this format.
> 
> The syslog message protocol looks like this:
> <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
> 
> 
> The forementioned bug in the documentation is that it says the tcp() destination driver ts_format uses the global ts_format setting. It doesnt.
> 
> -Patrick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120406/91352d9d/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2322 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120406/91352d9d/attachment.bin

More information about the syslog-ng mailing list