[syslog-ng] sub-second time digits all 0

Attila Szakacs (aszakacs) Attila.Szakacs at oneidentity.com
Mon Sep 9 10:58:53 UTC 2019 

Hi John,

It seems like, that su and sshd do not provide sub-second timestamp. There cannot be a fix for that from syslog-ng side.

You can choose to discard the timestamps provided by the source, and use the timestamp for the log reception. The 'reception' timestamp has sub-second time information.
Note, that the 'reception' timestamp can differ from the original timestamp.
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/keep-timestamp

May I ask you, if there is any particular reason, you are using 3.5.3? There are fresher releases, with a lot of new features and bugfixes.

Best regards,
Attila

________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of John Chang <jchang at skytap.com>
Sent: Wednesday, September 4, 2019 11:17 PM
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] sub-second time digits all 0

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Thanks for the advice.  Testing as you advise I do get the sub second non-zero digits.

Are you saying that the commit you reference fixes the problem in 3.5.6?

On Tue, Sep 3, 2019 at 4:18 PM John Chang <jchang at skytap.com<mailto:jchang at skytap.com>> wrote:
Hello, I am not getting non-zero sub-second timestamp digits.  My  /etc/syslog-ng/syslog-ng.conf file includes this global configuration:


# First, set some global options.

options { frac-digits(3); chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);

          owner("root"); group("adm"); perm(0640); stats_freq(0);

          bad_hostname("^gconfd$");

};



My syslog-ng.conf also includes a sub-config file for sending the logs to a remote host, with this configuration:



destination d_net {

    udp("loggerhost" port(30515) frac-digits(3) );

};

log { source(s_src); destination(d_net); };



But all sub-second timestamp digits wind up being only zeroes on the remote "loggerhost", like this:



2019-09-03T21:57:23.000+00:00 10.73.254.255 [info] [sshd]  3284 Accepted password for root from 10.72.0.186 port 50720 ssh2


The sending host is running syslog-ng 3.5.3.  The receiving "loggerhost" is running 3.5.6 Thanks in advance for any help you can afford.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190909/9a13a88a/attachment.html>

More information about the syslog-ng mailing list