[opensuse] opensuse 12.3 64-bit and bad date/time format in syslog.
Good afternoon, opensuse 12.3 64-bit has a weird log format in /var/log/mail (also in messages too): 2013-05-14T09:56:10.047890+02:00 linux postfix/postfix-script[3786]: starting the Postfix mail system 2013-05-14T09:56:10.150203+02:00 linux postfix/master[3787]: daemon started -- version 2.9.6, configuration /etc/postfix 2013-05-14T09:58:15.493891+02:00 linux postfix/postfix-script[4717]: refreshing the Postfix mail system 2013-05-14T09:58:15.497188+02:00 linux postfix/master[3787]: reload -- version 2.9.6, configuration /etc/postfix 2013-05-14T10:21:41.961941+02:00 proxyad1 postfix/postfix-script[1083]: starting the Postfix mail system 2013-05-14T10:21:42.035250+02:00 proxyad1 postfix/master[1084]: daemon started -- version 2.9.6, configuration /etc/postfix 2013-05-14T10:40:47.356719+02:00 proxyad1 postfix/postfix-script[1124]: starting the Postfix mail system 2013-05-14T10:40:47.445164+02:00 proxyad1 postfix/master[1125]: daemon started -- version 2.9.6, configuration /etc/postfix 2013-05-14T10:44:44.549048+02:00 proxyad1 postfix/postfix-script[1093]: starting the Postfix mail system 2013-05-14T10:44:44.628421+02:00 proxyad1 postfix/master[1094]: daemon started -- version 2.9.6, configuration /etc/postfix ~ Squid, installed on this machine logs fine into his log, but I've my own defined logformat in the squid.conf. Where should be a mistake ? Thank you very much and best regards J.Karliak. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Karliak Josef wrote:
Good afternoon, opensuse 12.3 64-bit has a weird log format in /var/log/mail (also in messages too): 2013-05-14T09:56:10.047890+02:00 linux postfix/postfix-script[3786]: starting the Postfix mail system
Hi Josek It's not sooo weird, it's just a high-precision ISO timestamp.
Squid, installed on this machine logs fine into his log, but I've my own defined logformat in the squid.conf. Where should be a mistake ?
/etc/rsyslog.conf or /etc/syslog-ng/syslog-ng.conf -- Per Jessen, Zürich (17.2°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Tue, 14 May 2013 14:17:02 +0200 Per Jessen <per@computer.org> пишет:
Karliak Josef wrote:
Good afternoon, opensuse 12.3 64-bit has a weird log format in /var/log/mail (also in messages too): 2013-05-14T09:56:10.047890+02:00 linux postfix/postfix-script[3786]: starting the Postfix mail system
Hi Josek
It's not sooo weird, it's just a high-precision ISO timestamp.
Squid, installed on this machine logs fine into his log, but I've my own defined logformat in the squid.conf. Where should be a mistake ?
/etc/rsyslog.conf or /etc/syslog-ng/syslog-ng.conf
Why is it mistake? I find those timestamps much better than traditional ones that do not include year (yes, sometimes I do have to analyze customer logs where it is significant) nor indicate timezone. The high precision format is used by default in rsyslog. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 14/05/13 07:04, Karliak Josef escribió:
Where should be a mistake ?
Not an error or mistake, it is a feature, precise timestamps are required to do proper analysis and audit of the logs. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-05-14 at 13:04 +0200, Karliak Josef wrote:
Good afternoon, opensuse 12.3 64-bit has a weird log format in /var/log/mail (also in messages too):
2013-05-14T09:56:10.047890+02:00 linux postfix/postfix-script[3786]: starting the Postfix mail system
Where should be a mistake ?
No mistake, this is the default new format - although the recommended one is "RSYSLOG_SyslogProtocol23Format", which prints like this: <13>1 2010-11-22T15:14:50.572314+01:00 router dnsprobe 516 - - Switching Back To Primary DNS server The number in brackes is the facility+priority number, and the "1" after it is the version of the format, for parsers. That one is thus version 1. In "/etc/rsyslog.conf" there is this line: #$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat If you uncomment it, you get the "traditional" format. I like neither of them, so I select another format, similar to the IETF one, but slightly modified: $template My_SyslogProtocol23Format,"<%SYSLOGFACILITY%.%SYSLOGPRIORITY%> %TIMESTAMP:::date-pgsql% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" $ActionFileDefaultTemplate My_SyslogProtocol23Format With that, the syslog lines are like this: <4.5> 2013-05-14 18:32:55 Telcontar su - - - (to root) cer on /dev/pts/18 which I prefer, it is easier to read than new default format or the IETF one. In fact, I also have this in the config "/etc/rsyslog.conf": *.* -/var/log/allmessages;RSYSLOG_SyslogProtocol23Format producing the IETF format: <63>1 2013-05-14T18:58:21.823344+02:00 Telcontar fetchnews 27095 - - <211 497 2 498 opensuse.org.help.howto <62>1 2013-05-14T18:58:21.823426+02:00 Telcontar fetchnews 27095 - - opensuse.org.help.howto: no new articles <63>1 2013-05-14T18:58:21.823432+02:00 Telcontar fetchnews 27095 - - >GROUP opensuse.org.no-support.surveys-polls but I rotate this file early. The available format are these - or they were when I looked into this a year or two ago: # file:///usr/share/doc/packages/rsyslog/doc/rsyslog_conf_templates.html # * RSYSLOG_TraditionalFileFormat - the "old style" default log file format with low-precision timestamps # * RSYSLOG_FileFormat - a modern-style logfile format similar to TraditionalFileFormat, buth with high-precision timestamps and timezone information # * RSYSLOG_TraditionalForwardFormat - the traditional forwarding format with low-precision timestamps. Most useful if you send messages to other syslogd's or rsyslogd below version 3.12.5. # * RSYSLOG_ForwardFormat - a new high-precision forwarding format very similar to the traditional one, but with high-precision timestamps and timezone information. Recommended to be used when sending messages to rsyslog 3.12.5 or above. # * RSYSLOG_SyslogProtocol23Format - the format specified in IETF's internet-draft ietf-syslog-protocol-23, which is assumed to be come the new syslog standard RFC. This format includes several improvements. The rsyslog message parser understands this format, so you can use it together with all relatively recent versions of rsyslog. Other syslogd's may get hopelessly confused if receiving that format, so check before you use it. Note that the format is unlikely to change when the final RFC comes out, but this may happen. # * RSYSLOG_DebugFormat - a special format used for troubleshooting property problems. This format is meant to be written to a log file. Do not use for production or remote forwarding. To find out what each format actually does, you have to find out in the sources - and I did: # /* hardcoded standard templates (used for defaults) */ # static uchar template_DebugFormat[] = "\"Debug line with all properties:\nFROMHOST: '%FROMHOST%', fromhost-ip: '%fromhost-ip%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n\""; # static uchar template_SyslogProtocol23Format[] = "\"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n\""; # static uchar template_TraditionalFileFormat[] = "\"%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n\""; # static uchar template_FileFormat[] = "\"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n\""; # static uchar template_WallFmt[] = "\"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r\""; # static uchar template_ForwardFormat[] = "\"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\""; # static uchar template_TraditionalForwardFormat[] = "\"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\""; # static uchar template_StdUsrMsgFmt[] = "\" %syslogtag%%msg%\n\r\""; # static uchar template_StdDBFmt[] = "\"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')\",SQL"; # static uchar template_StdPgSQLFmt[] = "\"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-pgsql%', '%timegenerated:::date-pgsql%', %iut%, '%syslogtag%')\",STDSQL"; # /* end template */ # # http://www.monitorware.com/common/en/articles/syslog-described.php?&PrinterVersion=1 # Introduction to Syslog Protocol - antiguo, 2003 # http://zinfandel.levkowetz.com/html/draft-ietf-syslog-protocol-23 - Nuevo <---- # Timestamp format: http://zinfandel.levkowetz.com/html/draft-ietf-syslog-protocol-23#section-6.... The available time format are these - by experiment: # Formatos que experimentalmente veo que funcionan. Idea sacada de sources, msg.h. En template.c lista las posibilidades # 0 1 2 3 # 1 5 0 5 0 5 0 # date-rfc3339 2010-12-05T02:21:41.889482+01:00 # date-rfc3164 Dec 5 02:21:13 # date-pgsql 2010-12-05 02:27:34 # date-mysql 20101205022845 # date-subseconds 529067 # # /usr/share/doc/packages/rsyslog/fuentes/doc/property_replacer.html documenta todo esto. You are not free to use a free time format, they are hardcoded. I see above that you can use, for example "%TIMESTAMP:::date-rfc3339%". I found out what you could put in between those colons, but I don't remember and aparently I lost part of my notes. HTH. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlGSb7kACgkQtTMYHG2NR9VFowCfe6jvdwU6KDrWeQPnynVpZXXW EwMAnioNyBvhv35NovtHuJ71escy5GBp =F3Kr -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, thanks for answer, I couldn't find why the format is changet, I thought that it was some error. If it is a reason for parsing, I accept it :) J.Karliak. Carlos E. R. píše v Út 14. 05. 2013 v 19:09 +0200:
RSYSLOG_TraditionalFileFormat
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2013-05-15 at 11:29 +0200, Karliak Josef wrote:
Hi, thanks for answer, I couldn't find why the format is changet, I thought that it was some error. If it is a reason for parsing, I accept it :)
It is your machine, use whatever you prefer :-) - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlGUUjwACgkQtTMYHG2NR9WJKACfTK+BzndCtRKu68fTkUlTmRBi 9c0AnAoNGldh6bKA0kbhlvmOiaX6bKYW =kMOx -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Andrey Borzenkov -
Carlos E. R. -
Cristian Rodríguez -
Karliak Josef -
Per Jessen