[syslog-ng] Issue with timestamp

[Scheidler, Balázs]

Your firewall probably does not use rfc3164 properly and albeit syslog-ng
does have a few heuristics to deal with differences, your fw may just get
parsed incorrectly.

You might want to disable parsing using flags(no-parse) and then deal with
it accordingly.

No-parse will put the entire message with headers to $MSG, which then can
be broken down by various syslog-ng parsers, like the date-parser or regexp
based ones.


On Jun 18, 2017 02:40, "Andrew" <toranagtrx at gmail.com> wrote:

> I looked into it further and the firewall is sending the year in the
> message, I thought that it wasn't but it was getting chopped off in the
> json output.
> I rectified it by using ${MSGHDR}${MSG} in my template which now gives me
> the full timestamp in the message which is mainly what I needed.
>
> I will look into the date-parser thanks for the info.
>
> On Sun, Jun 18, 2017 at 7:14 AM, Fabien Wernli <wernli at in2p3.fr> wrote:
>
>> Hi Andrew,
>>
>> If you have a recent enough syslog-ng version, you can use the date-parser
>> to parse your date. Otherwise, I guess you could use the current year
>> $YEAR
>> and add it to the message using a rewrite rule.
>>
>> Cheers
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170618/33884dd4/attachment.html>