[syslog-ng] insert timezone into log

Kókai Péter peter.kokai at balabit.com
Thu Apr 26 05:30:24 UTC 2018 

Hello,

There are a few date related macros, and I think you are looking for the
$ISODATE. Of course first you have to fix up the date with the

Configuration:
@version: 3.15

log {
        source{internal();};
        source{stdin(flags(no-parse));};
        parser { kv-parser();
                 date-parser(format("%s") template("${generateTime}"));
        };
        destination{file("/dev/stdout" template("$ISODATE $MSG\n")
frac-digits(3));};
};



Console:
Input:
    Apr 25 16:46:51 host.example.net .., generateTime=1524674663, ...

Output:
2018-04-25T18:44:23.000+02:00     Apr 25 16:46:51 host.example.net ..,
generateTime=1524674663, ...

You may need to tweak the configuration further more.

--
Kokan

On Thu, Apr 26, 2018 at 4:48 AM Asif Iqbal <vadud3 at gmail.com> wrote:

> On Wed, Apr 25, 2018 at 10:36 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>
>>
>>
>> On Wed, Apr 25, 2018 at 12:57 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>>
>>>
>>> On Wed, Apr 25, 2018 at 12:49 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>>>
>>>> How do I change the time in the log to append a timezone. Timestamp
>>>> should be based on generateTime=1523620861 which is in the log
>>>>
>>>> So today the time in the shows like this
>>>>
>>>>     Apr 25 16:46:51 host.example.net .., generateTime=1524674663, ...
>>>>
>>>> I like to change it like below
>>>>
>>>>     2018-04-25T16:46:55+0000 host.example.net
>>>> ...,generateTime=1524674663, ....
>>>>
>>>>
>>>>
>>>>
>>>
>>>>
>>>> {"PROGRAM":"alarmLog,","PRIORITY":"notice","MESSAGE":"applianceName=KING-MER-50-PRI,
>>>> tenantName=king, alarmType=vrrp-v3-proto-error, alarmKey=0|vni-0/3.0,
>>>> generateTime=1523620861, applianceId=1, vsnId=0, tenantId=4,
>>>> alarmCause=causeOther, alarmClearable=no, alarmClass=new, alarmKind=root,
>>>> alarmEventType=equipmentAlarm, alarmSeverity=indeterminate,
>>>> alarmOwner=tenant, alarmSeqNo=36657, alarmText=\"vni-0/3.0\",
>>>> siteName=","HOST":"host.example.net","FACILITY":"user","DATE":"Apr 13
>>>> 04:01:22"}
>>>>
>>>
>>>
>>> That was the output of
>>>
>>>    filter f_alarm { facility(user) and match("alarmLog"
>>> value("PROGRAM")); };
>>>
>>>    destination d_alarm { file ("/var/log/alarms.log"
>>> template("$(format-json -s syslog-proto)\n")); };
>>>
>>>
>>
>>
>> I am using syslog-ng version 3.5.6, latest from centos 7
>>
>>
>>
>
> upgrade to syslog-ng 3.14 using the repo from here
> https://syslog-ng.com/blog/installing-latest-syslog-ng-on-rhel-and-other-rpm-distributions/
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180426/0ab4dcd2/attachment.html>

More information about the syslog-ng mailing list