[syslog-ng] using VARARGS correctly

Daniel Ehrlich Daniel.Ehrlich at usq.edu.au
Wed May 19 23:35:04 UTC 2021 

Hi Everyone,

I am having an issue when the Zulu timestamp is between 10 and 23:59. i.e. the logs format differently before 10AM and after 10AM.

I have captured in a tcpdump the syslogs coming in and they both seem the same.
We're at GMT+10 so this event was as 11:14:14 on 19th May.
Msg: 2021-05-19T1:14:14Z 10.18.0.14 E-MICRO 1621386854,23.85,31.48,5.91,n/a,n/a,n/a,n/a,n/a,n/a,O,O\0x0a\0x0d

This event was 09:07:47 the next day the 20th May:
Msg: 2021-05-19T23:07:46Z 10.18.0.14 E-MICRO 1621465666,24.96,32.54,7.36,n/a,n/a,n/a,n/a,n/a,n/a,O,O\0x0a\0x0d

In the output files, both events go to the 0519.log file, until 10AM or 00:00:00Z the next day.
First event logs as:
May 19 11:14:14 10.18.0.14 2021-05-19T1:14:14Z 10.18.0.14 E-MICRO 1621386854,23.85,31.48,5.91,n/a,n/a,n/a,n/a,n/a,n/a,O,O

Second event logs as:
May 19 23:07:46 10.18.0.14 E-MICRO 1621465666,24.96,32.54,7.36,n/a,n/a,n/a,n/a,n/a,n/a,O,O

I assume some built-in filtering is changing the way these are parsed in syslog-ng?

I have tried to play with raw message filtering but it doesn't take the conf file:
@version:3.5
@include "scl.conf"

# syslog-ng configuration file.
#

options {
   chain_hostnames(no);
   create_dirs (yes);
   dir_perm(0755);
   dns_cache(yes);
   keep_hostname(yes);
   log_fifo_size(2048);
   log_msg_size(8192);
   perm(0644);
   time_reopen (10);
   use_dns(yes);
   use_fqdn(yes);
};

source s_network {
   udp(port(514));
};

source attivo {
   tcp(port(514));
};

### DESTINATIONS
destination d_files_splunk {
   file("/opt/splunk/var/lib/splunk/syslog-ng/$HOST/$MONTH$DAY.log" create_dirs(yes));
};
destination d_files_nti {
   file("/opt/splunk/var/lib/splunk/syslog-ng/$HOST/$MONTH$DAY.log" create_dirs(yes) template(t_nti));
};

### FILTERS
filter nti {
   host("10.18.0.14" type(glob));
};
filter splunk {
   not (filter(nti));
};

### LOG
log {
   source(s_network);
   #filter(splunk);
   destination(d_files_splunk);
};
log {
   source(s_network);
   filter(nti);
   destination(d_files_nti);
};
log {
   source(attivo);
#   filter(splunk);
   destination(d_files_splunk);
};

### TEMPLATES
template t_nti {
        template("${RAWMSG}\n")
};

Any help is appreciated.
Thanks
Daniel Ehrlich
__________________________________________________________________

This email (including any attached files) is confidential and is 

for the intended recipient(s) only. If you received this email by 

mistake, please, as a courtesy, tell the sender, then delete this 

email.

The views and opinions are the originator's and do not necessarily 

reflect those of the University of Southern Queensland. Although 

all reasonable precautions were taken to ensure that this email 

contained no viruses at the time it was sent we accept no 

liability for any losses arising from its receipt.

The University of Southern Queensland is a registered provider 

of education with the Australian Government.

(CRICOS Institution Code QLD 00244B / NSW 02225M, TEQSA PRV12081)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210519/05aa1166/attachment-0001.html>

More information about the syslog-ng mailing list