-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2010-11-22 at 17:33 +0100, Carlos E. R. wrote:

Hi,

I'm trying to get rsyslog to output the messages in a format I would like. I'm, using the "RSYSLOG_SyslogProtocol23Format" template for one of the log files, which prints like this:

...

But I can't find documentation for the "TIMESTAMP" formats supported. In the file "features.html" I see:

...

So the question is, what are the syntax timestamp modifiers, what modifiers are really available?

None, it turns out. AFAIK. First, the rfc3339 date format supported is a subset, a stricter one. I found the definition in the "draft-ietf-syslog-protocol-23" definition - link: <http://zinfandel.levkowetz.com/html/draft-ietf-syslog-protocol-23#section-6.2.3> +++··························· 6.2.3. TIMESTAMP The TIMESTAMP field is a formalized timestamp derived from [RFC3339]. Whereas [RFC3339] makes allowances for multiple syntaxes, this document imposes further restrictions. The TIMESTAMP value MUST follow these restrictions: o The "T" and "Z" characters in this syntax MUST be upper case. o Usage of the "T" character is REQUIRED. o Leap seconds MUST NOT be used. The originator SHOULD include TIME-SECFRAC if its clock accuracy and performance permit. The "timeQuality" SD-ID described in Section 7.1 allows the originator to specify the accuracy and trustworthiness of the timestamp. A syslog application MUST use the NILVALUE as TIMESTAMP if the syslog application is incapable of obtaining system time. ···························++- Digging in the code I found that the date formats allowed by the rsyslog program are: rfc 3339, rfc 3164, pgsql and mysql. There is also "subseconds", but useless. Samples: 0 1 2 3 1 5 0 5 0 5 0 date-rfc3339 2010-12-05T02:21:41.889482+01:00 date-rfc3164 Dec 5 02:21:13 date-pgsql 2010-12-05 02:27:34 date-mysql 20101205022845 date-subseconds 529067 So the closest to my liking is "date-pgsql", and my definition ends like this: $template My_SyslogProtocol23Format,"<%PRI%> %TIMESTAMP:::date-pgsql% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" I did not find references to modifications of those timestamps - I would simply like to reduce the precision (ie, eliminate or limit the subseconds). [...] Correction. I did find something else - by wild guessing! %TIMESTAMP::3:date-rfc3339% means that the maximum width of the field is 3 digits. It prints like: <46> 201 Hostnane.... and a ::22: yields: <46> 2010-12-05T03:15:13.85 Hostname A :22:: yields the same. But "TIMESTAMP:22:2:date-rfc3339" yields: 0 1 2 3 1 5 0 5 0 5 0 <46> 010-12-05T03:22:07.10 Hostname <-- :22:2: <46> 10-12-05T03:23:48.76 Hostname <-- :22:3: It seems that one trims from the left and the other from the right. Curious, is it not? And as far as I know, absolutely not documented. Correction again. It is briefly documented - now that I know what to look for: +++··························· Syslog message properties are used inside templates. They are accessed by putting them between percent signs. Properties can be modified by the property replacer. The full syntax is as follows: %propname:fromChar:toChar:options% ···························++- So, another possible template would be: $template My_SyslogProtocol23Format,"<%PRI%> %TIMESTAMP::22:date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" which yields: <46> 2010-12-05T03:35:39.644 Telcontar rsyslogd - - - [origin software="rsyslogd" swVersion="4.4.1" x-pid="7344" x-info="http://www.rsyslog.com"] (re)start Not bad, but the 'T' in between is confusing to my sight. Y prefer the pgsql timestamp. I now have all logs in that format, except the allmessages file (full date-rfc3339), when needed. It seems that all this is documented in the file "property_replacer.html" of the sources. Even regex expressions in there! :-O - -- Cheers, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) iEYEARECAAYFAkz6/SwACgkQtTMYHG2NR9U5NgCfUaYtuK+WO6k+WRCnKzsGYTte 66EAn0d2HOFj8CMKDnv54nK2M2dXF2n+ =gJhd -----END PGP SIGNATURE-----