[syslog-ng] ts_format(iso) bug or misunderstanding?
Balazs Scheidler
bazsi at balabit.hu
Tue Apr 10 11:58:50 CEST 2012
On Fri, 2012-04-06 at 01:40 -0700, Chris Hiestand wrote:
> Thank you very much for your reply Patrick, that was very helpful.
>
>
> I have downloaded syslog-ng v3.3 (Debian Wheezy) just to get the
> latest, and I'm still having a problem.
>
>
> Based in your advice, I was able to successfully get the iso ts_format
> if I use the syslog() destination driver. However, if I use the tcp()
> destination driver, I still cannot get iso ts_format. syslog-ng
> ignores my parameter and sends old style timestamps.
yup, you need to specify a custom template to change the formatting on
the tcp channel.
template("$ISODATE $HOST $MSGHDR$MSG\n")
should do the trick.
ts-format() is only used for local file destinations.
>
>
> my driver:
>
> > destination My_Syslog { tcp("syslog.server.salk.edu" port(514)
> > ts_format(iso) ); };
> > log { source(s_src); destination(My_Syslog); };
>
>
>
>
> tcpdump:
> > @.m..<hw<86>Apr 6 01:24:01 host CRON[1923]: pam_unix(cron:session):
> > session closed for user root
>
>
> In fact, I have tried all variations of ts_format (rfc3164, bsd,
> rfc3339, iso) and I always get the same result.
>
>
> Eventually I will switch to the syslog message protocol, so this is
> not a show-stopper. But not getting something
> to work as advertised is still troubling.
>
>
> Could I be missing something else? Or might we be in bug/documentation
> bug territory?
>
>
> Thanks,
> Chris
>
>
>
>
>
> On Apr 5, 2012, at 7:10 PM, Patrick Hemmer wrote:
>
> > Somewhere in between bug and misunderstanding. The bug would be in
> > documentation, but the behavior is deliberate.
> > The reason is that when sending over the network to a syslog server,
> > the server expects the message in a certain format. When you change
> > the timestamp, that format is now invalid and the remote end might
> > not be able to parse it.
> >
> > Now you could put `ts_format(iso)` in the `tcp()` destination
> > driver. But if your remote server is looking for a timestamp in ISO
> > format, it probably supports the syslog message protocol, which uses
> > ISO timestamps. Syslog-ng uses the syslog destination driver for
> > sending in this format.
> >
> > The syslog message protocol looks like this:
> > <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 -
> > BOM'su root' failed for lonvick on /dev/pts/8
> >
> >
> > The forementioned bug in the documentation is that it says the tcp()
> > destination driver ts_format uses the global ts_format setting. It
> > doesnt.
> >
> > -Patrick
> >
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
--
Bazsi--
Bazsi
More information about the syslog-ng
mailing list