[syslog-ng] sub-second time digits all 0

Wed Sep 4 07:01:24 UTC 2019

Hi John,

Can you try it with another source?

source s_test {
  network(transport(udp) port(9090));
};
...
log { source(s_src); source(s_test); destination(d_net); };

Then run:
echo -n "test" >/dev/udp/localhost/9090
You can enable/disable wifi on your system, to generate kernel messages.

To me the output looks like this:
<13>Sep  4 08:50:32.370 127.0.0.1 test
<13>Sep  4 08:50:33.010 127.0.0.1 test
<13>Sep  4 08:50:33.425 127.0.0.1 test
<13>Sep  4 08:50:33.746 127.0.0.1 test
<13>Sep  4 08:50:34.066 127.0.0.1 test
<13>Sep  4 08:50:34.658 127.0.0.1 test
<13>Sep  4 08:50:35.026 127.0.0.1 test
<13>Sep  4 08:50:35.314 127.0.0.1 test
<13>Sep  4 08:50:35.666 127.0.0.1 test
<85>Sep  4 08:50:36.000 alltilla-Precision-5530 su[30952]: pam_unix(su:auth): authentication failure; logname=alltilla uid=1001 euid=0 tty=/dev/pts/11 ruser=alltilla rhost=  user=root
<83>Sep  4 08:50:38.000 alltilla-Precision-5530 su[30952]: pam_authenticate: Authentication failure
<6>Sep  4 08:52:47.691 alltilla-Precision-5530 kernel: IPv6: ADDRCONF(NETDEV_UP): wlp59s0: link is not ready
<6>Sep  4 08:52:47.775 alltilla-Precision-5530 kernel: IPv6: ADDRCONF(NETDEV_UP): wlp59s0: link is not ready

My su messages do not have sub-second times, either, but the test udp source, and wifi-generated kernel messages do have.
I am testing this on 3.5.6 on an Ubuntu-Xenial machine.

Although, there is some change about the frac-digits() behavior in 3.5.6, maybe 3.5.3 will have all zeros still.
https://github.com/balabit/syslog-ng/commit/70d758fe40ad64f78e28e87b629c54fbd1fdc09e

Thanks Szemere for the help!

Best regards,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of John Chang <jchang at skytap.com>
Sent: Wednesday, September 4, 2019 1:18 AM
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] sub-second time digits all 0

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hello, I am not getting non-zero sub-second timestamp digits.  My  /etc/syslog-ng/syslog-ng.conf file includes this global configuration:

# First, set some global options.

options { frac-digits(3); chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);

          owner("root"); group("adm"); perm(0640); stats_freq(0);

          bad_hostname("^gconfd$");

};

My syslog-ng.conf also includes a sub-config file for sending the logs to a remote host, with this configuration:

destination d_net {

    udp("loggerhost" port(30515) frac-digits(3) );

};

log { source(s_src); destination(d_net); };

But all sub-second timestamp digits wind up being only zeroes on the remote "loggerhost", like this:

2019-09-03T21:57:23.000+00:00 10.73.254.255 [info] [sshd]  3284 Accepted password for root from 10.72.0.186 port 50720 ssh2

The sending host is running syslog-ng 3.5.3.  The receiving "loggerhost" is running 3.5.6 Thanks in advance for any help you can afford.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190904/0f154ae3/attachment-0001.html>