David, Here is the full config:
*.* /var/log/debugfmt;RSYSLOG_DebugFormat ############################################ #Global Settings ############################################ $PreserveFQDN on $EscapeControlCharactersOnReceive off $CreateDirs on $umask 0000 $DirCreateMode 0755 $DirOwner root $DirGroup root $FileCreateMode 0640 $FileOwner root #Input Modules $ModLoad immark $ModLoad imuxsock $ModLoad imklog $SystemLogRateLimitInterval 0 # turn off RateLimit $MainMsgQueueSize 200000 # set a larger MainMsg queue (default 10k) $MainMsgQueueWorkerThreads 8 # default 1 $MainMsgQueueDequeueBatchSize 512 # default 32 ################################### #General Templates ################################## $template FileFormatFromhost,"%timestamp% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" $template ForwardFormatFromhost,"<%PRI%>%timestamp% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%" $ActionFileDefaultTemplate FileFormatFromhost $ActionForwardDefaultTemplate ForwardFormatFromhost ################################## #Local Log Settings ################################# # stock syslog :fromhost-ip, !isequal, "127.0.0.1" ~ *.*;daemon,local0,local5.none; /var/log/messages # test daemon,local0.* /var/log/test ## Remote Logging daemon,local0.* @@fwd.host # everything forwarded *.* @@master.syslog.host I'm not sure what the procedure is for local logging, but for what its worth I've been using syslog-ng 2.1.x which uses the timestamp provided in the rawmsg which is the behaviour i'm looking to get out of rsyslog. I've actually found a work around that almost works using the following format: $template FileFormatFromhost,"%rawmsg:6:20:date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" $template ForwardFormatFromhost,"%rawmsg::20:date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%" I was hoping the date-rfc3339 tag would format the date found in that section of the rawmsg but it doesn't appear to work. Perhaps that is only valid with the %timestamp% macros. Is there any way to get the date converted to the rfc3339 format? > well, it's a little hard to tell, but is the time supposed to be provided by > the > application when writing to /dev/log? or is it just supposed to be '<pri> > syslogtag: message'? > > looking at the documentation: > http://www.rsyslog.com/doc/v8-stable/configuration/modules/imuxsock.html > > Application-provided timestamps are ignored by default. This is needed, as > some > programs (e.g. sshd) log with inconsistent timezone information, what messes > up > the local logs (which by default don’t even contain time zone information). > This > seems to be consistent with what sysklogd did for the past four years. > Alternate > behaviour may be desirable if gateway-like processes send messages via the > local > log slot - in this case, it can be enabled via the IgnoreTimestamp and > SysSock.IgnoreTimestamp config directives > > David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
