[syslog-ng] syslog message without timestamp

Scheidler, Balázs balazs.scheidler at balabit.com
Fri Sep 23 11:45:24 CEST 2016


For one, I think you were sending your log messages not to an RFC5424
capable source, you need to use the syslog() driver, for example:

source src {
  syslog(transport(udp));
};


There are other transports available (like tcp or tls). The NIL value at
the date position seems to be supported, but I am not sure which version
added this. I've checked out the current master.

But I think what you are after is the "no-parse" flag.

source src {
  tcp(flags(no-parse));
};

This means that the entire line received is stuffed into the $MSG
name-value pair.

-- 
Bazsi

On Fri, Sep 23, 2016 at 11:28 AM, Csuti Istvan <icsuti at zalaszam.hu> wrote:

> Hi All!
>
> The solution is:
> Use old RFC3164 message syntax without timestamp:
> The UDP message is:
> "<prio>procname[procid]: LogMessage"
>
> prio: byte 0-191 (See more information in RFC3164
> https://www.ietf.org/rfc/rfc3164.txt)
> procname: string (max length 48 character)
> procid: number (Max length 128 character)
> Full UDP message length 1024 character
>
> Best regards
>
> 2016.09.22. 10:55 keltezéssel, Fekete, Róbert írta:
>
> I see. Then the easiest is probably to not bother with the timestamp on the
> sender (arduino) side, and set the keep-timestamp(no) option on the server
> side.
>
> On Wed, Sep 21, 2016 at 9:41 PM, Csuti Istvan <icsuti at zalaszam.hu> <icsuti at zalaszam.hu> wrote:
>
>
> Hi!
>
> I write a program on arduino embended system.
> This device do not have Real Time Clock.
> I sended UDP syslog datagram from this device.
>
>
> 2016.09.21. 20:19 keltezéssel, Fekete, Róbert írta:
>
> Hi,
>
> The  easiest way to drop the timestamp is on the syslog-ng server side,
> where you write the message into a file. There you can use a template,
> something like the one below. But why do you want to send a message without
> a timestamp?
>
> destination d_file {
>     file ("/var/log/messages" template("${MSG}\n") );};
>
>
>
> On Wed, Sep 21, 2016 at 7:41 PM, Csuti Istvan <icsuti at zalaszam.hu> <icsuti at zalaszam.hu> <icsuti at zalaszam.hu> <icsuti at zalaszam.hu> wrote:
>
>
> Hi All!
>
> I would like send UDP message to the syslog server without timestamp.
>
> I readed RFC3164 and RFC5424 and syslog-ng-ose-guide-admin.pdf.
>
> The new "RFC 5424 (also called the IETF-syslog protocol): see Section
> 2.8.2,
> IETF-syslog messages (p. 13)" support NIL values "-" in HEADER.
>
> I sended this "<110>1 - hostname procname procid - - Message"
>
> The syslog-ng server logged this:
>
> "Sep 21 19:29:54 h164-19 1: - hostname procname procid - - Message"
>
> Question:
> What is wrong in my message string?
> The syslog-ng server why do not decode "1" after ">" as version?
> Can i send old syslog message (RFC3164) without timestamp?
>
> Best Regards
> Istvan Csuti
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> Hi,
>
> The  easiest way to drop the timestamp is on the syslog-ng server side,
> where you write the message into a file. There you can use a template,
> something like the one below. But why do you want to send a message without
> a timestamp?
>
> destination d_file {
>     file ("/var/log/messages" template("${MSG}\n") );};
>
>
>
> On Wed, Sep 21, 2016 at 7:41 PM, Csuti Istvan <icsuti at zalaszam.hu> <icsuti at zalaszam.hu> wrote:
>
>
> Hi All!
>
> I would like send UDP message to the syslog server without timestamp.
>
> I readed RFC3164 and RFC5424 and syslog-ng-ose-guide-admin.pdf.
>
> The new "RFC 5424 (also called the IETF-syslog protocol): see Section
> 2.8.2,
> IETF-syslog messages (p. 13)" support NIL values "-" in HEADER.
>
> I sended this "<110>1 - hostname procname procid - - Message"
>
> The syslog-ng server logged this:
>
> "Sep 21 19:29:54 h164-19 1: - hostname procname procid - - Message"
>
> Question:
> What is wrong in my message string?
> The syslog-ng server why do not decode "1" after ">" as version?
> Can i send old syslog message (RFC3164) without timestamp?
>
> Best Regards
> Istvan Csuti
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=
> syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
> --
> Csuti István
> rendszergazda
> __________________________________________________
>
> Zalaszám Informatika Kft.
> 8900 Zalaegerszeg, Mártírok útja 53.
> Telefon: 92/502-593
> Fax: 92/502-501
> e-mail: icsuti at zalaszam.hu <%0Aicsuti at zalaszam.hu%09%09%09> <%0Aicsuti at zalaszam.hu%09%09%09>
> web: www.zalaszam.hu
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> I see. Then the easiest is probably to not bother with the timestamp on
> the sender (arduino) side, and set the keep-timestamp(no) option on the
> server side.
>
> On Wed, Sep 21, 2016 at 9:41 PM, Csuti Istvan <icsuti at zalaszam.hu> wrote:
>
>> Hi!
>>
>> I write a program on arduino embended system.
>> This device do not have Real Time Clock.
>> I sended UDP syslog datagram from this device.
>>
>>
>> 2016.09.21. 20:19 keltezéssel, Fekete, Róbert írta:
>>
>> Hi,
>>
>> The  easiest way to drop the timestamp is on the syslog-ng server side,
>> where you write the message into a file. There you can use a template,
>> something like the one below. But why do you want to send a message without
>> a timestamp?
>>
>> destination d_file {
>>     file ("/var/log/messages" template("${MSG}\n") );};
>>
>>
>>
>> On Wed, Sep 21, 2016 at 7:41 PM, Csuti Istvan <icsuti at zalaszam.hu> <icsuti at zalaszam.hu> wrote:
>>
>>
>> Hi All!
>>
>> I would like send UDP message to the syslog server without timestamp.
>>
>> I readed RFC3164 and RFC5424 and syslog-ng-ose-guide-admin.pdf.
>>
>> The new "RFC 5424 (also called the IETF-syslog protocol): see Section
>> 2.8.2,
>> IETF-syslog messages (p. 13)" support NIL values "-" in HEADER.
>>
>> I sended this "<110>1 - hostname procname procid - - Message"
>>
>> The syslog-ng server logged this:
>>
>> "Sep 21 19:29:54 h164-19 1: - hostname procname procid - - Message"
>>
>> Question:
>> What is wrong in my message string?
>> The syslog-ng server why do not decode "1" after ">" as version?
>> Can i send old syslog message (RFC3164) without timestamp?
>>
>> Best Regards
>> Istvan Csuti
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?
>> product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>  Hi,
>> The  easiest way to drop the timestamp is on the syslog-ng server side,
>> where you write the message into a file. There you can use a template,
>> something like the one below. But why do you want to send a message without
>> a timestamp?
>>
>> destination d_file {
>>     file ("/var/log/messages" template("${MSG}\n") );};
>>
>> On Wed, Sep 21, 2016 at 7:41 PM, Csuti Istvan <icsuti at zalaszam.hu>
>> wrote:
>>>
>>> Hi All! I would like send UDP message to the syslog server without
>>> timestamp. I readed RFC3164 and RFC5424 and syslog-ng-ose-guide-admin.pdf.
>>> The new "RFC 5424 (also called the IETF-syslog protocol): see Section
>>> 2.8.2, IETF-syslog messages (p. 13)" support NIL values "-" in HEADER. I
>>> sended this "<110>1 - hostname procname procid - - Message" The syslog-ng
>>> server logged this: "Sep 21 19:29:54 h164-19 1: - hostname procname procid
>>> - - Message" Question: What is wrong in my message string? The syslog-ng
>>> server why do not decode "1" after ">" as version? Can i send old syslog
>>> message (RFC3164) without timestamp? Best Regards Istvan Csuti
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/sy
>>> slog-ng-faq
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>> -- Csuti István rendszergazda __________________________________________________
>> Zalaszám Informatika Kft. 8900 Zalaegerszeg, Mártírok útja 53. Telefon:
>> 92/502-593 Fax: 92/502-501 e-mail: icsuti at zalaszam.hu
>> <%0Aicsuti at zalaszam.hu%09%09%09> web: www.zalaszam.hu
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
> -- Csuti István rendszergazda __________________________________________________
> Zalaszám Informatika Kft. 8900 Zalaegerszeg, Mártírok útja 53. Telefon:
> 92/502-593 Fax: 92/502-501 e-mail: icsuti at zalaszam.hu
> <%0Aicsuti at zalaszam.hu%09%09%09> web: www.zalaszam.hu
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160923/b4a79cd7/attachment-0001.htm 


More information about the syslog-ng mailing list