-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm trying to get rsyslog to output the messages in a format I would like. I'm, using the "RSYSLOG_SyslogProtocol23Format" template for one of the log files, which prints like this: <30>1 2010-11-22T16:29:04.707021+01:00 Telcontar smartd 3860 - - Device: /dev/sdc [SAT], SMART Usage Attribute: 194 Temperature_Celsius changed from 29 to 28 For this I use this rule: *.* -/var/log/allmessages;My_SyslogProtocol23Format The problem starts with the templates: the definitions are not documented, I had to dig them out of the sources: static uchar template_SyslogProtocol23Format[] = "\"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n\""; I would like the timestamp to be like "2010-11-22 16:29:04". To this end I define my own template derived from that one: $template My_SyslogProtocol23Format,"<%PRI%> %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" which works - ie, it is the same as the original one. So far, so good. But I can't find documentation for the "TIMESTAMP" formats supported. In the file "features.html" I see: +++······················ Current Features ... • good timestamp format control; at a minimum, ISO 8601/RFC 3339 second-resolution UTC zone ······················++- date-rfc3339 produces output like 2010-11-22T17:09:20.201284+01:00, which is different from what the CLI equivalent does: cer@Telcontar:~> date --iso=ns ; date --rfc-3339=ns 2010-11-22T17:13:58,866637161+0100 2010-11-22 17:13:58.868123100+01:00 (the one I want is --rfc-3339=seconds, wich in "date" does not print the "T") I think that rsyslog got the specification reversed. Anyway, if I try the "other one" in the template: $template My_SyslogProtocol23Format,"<%PRI%> %TIMESTAMP:::date-rfc8601% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" I get this output: <46> Nov 22 17:16:48 Telcontar rsyslogd - - - ... which means it was not recognised at all. I have also tried "date-rfc8601=seconds" and "date-rfc33390seconds", none works. There is no mention in the sources of "rfc8601", only date-rfc3164 and date-rfc3339. So the question is, what are the syntax timestamp modifiers, what modifiers are really available? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) iEYEARECAAYFAkzqm1QACgkQtTMYHG2NR9XB/QCdFplR7PrrUNB68IMeexmbqhsV tkgAnii2U2fSQdb/ayyznyN0HmtyJHHL =ZfGN -----END PGP SIGNATURE-----