[syslog-ng] sub-second time digits all 0
Attila Szakacs (aszakacs)
Attila.Szakacs at oneidentity.com
Wed Sep 4 07:01:24 UTC 2019
Hi John,
Can you try it with another source?
source s_test {
network(transport(udp) port(9090));
};
...
log { source(s_src); source(s_test); destination(d_net); };
Then run:
echo -n "test" >/dev/udp/localhost/9090
You can enable/disable wifi on your system, to generate kernel messages.
To me the output looks like this:
<13>Sep 4 08:50:32.370 127.0.0.1 test
<13>Sep 4 08:50:33.010 127.0.0.1 test
<13>Sep 4 08:50:33.425 127.0.0.1 test
<13>Sep 4 08:50:33.746 127.0.0.1 test
<13>Sep 4 08:50:34.066 127.0.0.1 test
<13>Sep 4 08:50:34.658 127.0.0.1 test
<13>Sep 4 08:50:35.026 127.0.0.1 test
<13>Sep 4 08:50:35.314 127.0.0.1 test
<13>Sep 4 08:50:35.666 127.0.0.1 test
<85>Sep 4 08:50:36.000 alltilla-Precision-5530 su[30952]: pam_unix(su:auth): authentication failure; logname=alltilla uid=1001 euid=0 tty=/dev/pts/11 ruser=alltilla rhost= user=root
<83>Sep 4 08:50:38.000 alltilla-Precision-5530 su[30952]: pam_authenticate: Authentication failure
<6>Sep 4 08:52:47.691 alltilla-Precision-5530 kernel: IPv6: ADDRCONF(NETDEV_UP): wlp59s0: link is not ready
<6>Sep 4 08:52:47.775 alltilla-Precision-5530 kernel: IPv6: ADDRCONF(NETDEV_UP): wlp59s0: link is not ready
My su messages do not have sub-second times, either, but the test udp source, and wifi-generated kernel messages do have.
I am testing this on 3.5.6 on an Ubuntu-Xenial machine.
Although, there is some change about the frac-digits() behavior in 3.5.6, maybe 3.5.3 will have all zeros still.
https://github.com/balabit/syslog-ng/commit/70d758fe40ad64f78e28e87b629c54fbd1fdc09e
Thanks Szemere for the help!
Best regards,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of John Chang <jchang at skytap.com>
Sent: Wednesday, September 4, 2019 1:18 AM
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] sub-second time digits all 0
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hello, I am not getting non-zero sub-second timestamp digits. My /etc/syslog-ng/syslog-ng.conf file includes this global configuration:
# First, set some global options.
options { frac-digits(3); chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
owner("root"); group("adm"); perm(0640); stats_freq(0);
bad_hostname("^gconfd$");
};
My syslog-ng.conf also includes a sub-config file for sending the logs to a remote host, with this configuration:
destination d_net {
udp("loggerhost" port(30515) frac-digits(3) );
};
log { source(s_src); destination(d_net); };
But all sub-second timestamp digits wind up being only zeroes on the remote "loggerhost", like this:
2019-09-03T21:57:23.000+00:00 10.73.254.255 [info] [sshd] 3284 Accepted password for root from 10.72.0.186 port 50720 ssh2
The sending host is running syslog-ng 3.5.3. The receiving "loggerhost" is running 3.5.6 Thanks in advance for any help you can afford.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190904/0f154ae3/attachment-0001.html>
More information about the syslog-ng
mailing list