[syslog-ng] Issue with timestamp

Andrew toranagtrx at gmail.com
Sun Jun 18 12:52:01 UTC 2017


Yes that was the exact problem, thanks for that!. Using no-parse and also
the date-parser I have been able to get this working perfectly.
I now have ISODATE matching to the same timestamp in the message from the
firewall.

Thanks for the help.

On Sun, Jun 18, 2017 at 5:43 PM, Scheidler, Balázs <
balazs.scheidler at balabit.com> wrote:

> Your firewall probably does not use rfc3164 properly and albeit syslog-ng
> does have a few heuristics to deal with differences, your fw may just get
> parsed incorrectly.
>
> You might want to disable parsing using flags(no-parse) and then deal with
> it accordingly.
>
> No-parse will put the entire message with headers to $MSG, which then can
> be broken down by various syslog-ng parsers, like the date-parser or regexp
> based ones.
>
>
> On Jun 18, 2017 02:40, "Andrew" <toranagtrx at gmail.com> wrote:
>
>> I looked into it further and the firewall is sending the year in the
>> message, I thought that it wasn't but it was getting chopped off in the
>> json output.
>> I rectified it by using ${MSGHDR}${MSG} in my template which now gives me
>> the full timestamp in the message which is mainly what I needed.
>>
>> I will look into the date-parser thanks for the info.
>>
>> On Sun, Jun 18, 2017 at 7:14 AM, Fabien Wernli <wernli at in2p3.fr> wrote:
>>
>>> Hi Andrew,
>>>
>>> If you have a recent enough syslog-ng version, you can use the
>>> date-parser
>>> to parse your date. Otherwise, I guess you could use the current year
>>> $YEAR
>>> and add it to the message using a rewrite rule.
>>>
>>> Cheers
>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170618/6498eb35/attachment.html>


More information about the syslog-ng mailing list