[syslog-ng] ts_format(iso) bug or misunderstanding?
Patrick Hemmer
syslogng at stormcloud9.net
Fri Apr 6 13:08:33 CEST 2012
If syslog-ng is letting you set ts_format on the tcp destination driver
(not throwing a syntax error), but isnt using it, then I'd definitely
think bug (though this is something the balabit folks should confirm).
An alternate method would be to use a template on the tcp destination
driver and explicitly build a format which uses the ISO timestamp. For
example:
template t_tcp { template("<$BSDTAG> $ISODATE $HOST $MSGHDR$MESSAGE\n") };
destination d_tcp { tcp('1.2.3.4' template(t_tcp)); };
Note the lack of space between $MSGHDR and $MESSAGE, thats deliberate.
-Patrick
Sent: Fri Apr 06 2012 04:40:07 GMT-0400 (EDT)
From: Chris Hiestand <chiestand at salk.edu>
To: Patrick Hemmer <syslogng at stormcloud9.net>, Syslog-ng users' and
developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] ts_format(iso) bug or misunderstanding?
> Thank you very much for your reply Patrick, that was very helpful.
>
> I have downloaded syslog-ng v3.3 (Debian Wheezy) just to get the
> latest, and I'm still having a problem.
>
> Based in your advice, I was able to successfully get the iso ts_format
> if I use the syslog() destination driver. However, if I use the tcp()
> destination driver, I still cannot get iso ts_format. syslog-ng
> ignores my parameter and sends old style timestamps.
>
> my driver:
>> destination My_Syslog { tcp("syslog.server.salk.edu
>> <http://syslog.server.salk.edu>" port(514) ts_format(iso) ); };
>> log { source(s_src); destination(My_Syslog); };
>
>
> tcpdump:
>> @.m..<hw<86>Apr 6 01:24:01 host CRON[1923]: pam_unix(cron:session):
>> session closed for user root
>
> In fact, I have tried all variations of ts_format (rfc3164, bsd,
> rfc3339, iso) and I always get the same result.
>
> Eventually I will switch to the syslog message protocol, so this is
> not a show-stopper. But not getting something
> to work as advertised is still troubling.
>
> Could I be missing something else? Or might we be in bug/documentation
> bug territory?
>
> Thanks,
> Chris
>
>
>
> On Apr 5, 2012, at 7:10 PM, Patrick Hemmer wrote:
>
>> Somewhere in between bug and misunderstanding. The bug would be in
>> documentation, but the behavior is deliberate.
>> The reason is that when sending over the network to a syslog server,
>> the server expects the message in a certain format. When you change
>> the timestamp, that format is now invalid and the remote end might
>> not be able to parse it.
>>
>> Now you could put `ts_format(iso)` in the `tcp()` destination driver.
>> But if your remote server is looking for a timestamp in ISO format,
>> it probably supports the syslog message protocol
>> <http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/concepts_message_ietfsyslog.html>,
>> which uses ISO timestamps. Syslog-ng uses the syslog
>> <http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_destination_syslog.html>
>> destination driver for sending in this format.
>>
>> The syslog message protocol looks like this:
>> <34>1 2003-10-11T22:14:15.003Z mymachine.example.com
>> <http://mymachine.example.com> su - ID47 - BOM'su root' failed for
>> lonvick on /dev/pts/8
>>
>>
>> The forementioned bug in the documentation is that it says the tcp()
>> destination driver ts_format uses the global ts_format setting. It
>> doesnt.
>>
>> -Patrick
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120406/e7d7eb9f/attachment.htm
More information about the syslog-ng
mailing list