| View previous topic :: View next topic |
| Author |
Message |
toralf
Developer
Joined: 01 Feb 2004
Posts: 3745
Location: Hamburg
|
 Posted: Sun Nov 22, 2015 9:33 pm Post subject: syslog-ng-3.7.2 has broken timestamps (again) |
 |
|
Damn, now I'm really annoyed that this issue appears again : 2 different time stamps for the same event in 2 different files: | Code: | log # grep SYN *log
kern.log:Nov 20 22:26:29 tor-relay kernel: [2431358.124515] TCP: request_sock_TCP: Possible SYN flooding on port 80. Sending cookies. Check SNMP counters.
syslog:Nov 20 22:02:34 tor-relay kernel: TCP: request_sock_TCP: Possible SYN flooding on port 80. Sending cookies. Check SNMP counters.
|
/me wonders which logger is worth to switch to it ? After running twice into this mess within 1 year I can't now any longer trust into the Balabit company and their software any longer.
I'm looking especially for a logger which have the capability to grep for patterns and write the matching log entries into dedicated files.
Last edited by toralf on Fri Jan 22, 2016 9:13 pm; edited 3 times in total |
|
| Back to top |
|
 |
Anon-E-moose
Advocate
Joined: 23 May 2008
Posts: 4355
Location: Dallas area
|
| Posted: Sun Nov 22, 2015 9:39 pm Post subject: |
|
|
syslog-ng does search for patterns.
From my syslog-ng.conf
destination iptables { file("/var/log/firewall" perm(0640)); };
...
filter f_iptables { match("IPTABLES:" value("MESSAGE")); };
...
log { source(src); filter(f_iptables); destination(iptables); };
filter f_messages { level(info..emerg) and not filter (f_iptables) and not filter (f_smartd) and not facility(cron, mail, auth, authpriv); };
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6770
Location: Blighty
|
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3745
Location: Hamburg
|
| Posted: Mon Nov 23, 2015 1:05 pm Post subject: |
|
|
| UberLord wrote: | To me, it looks like the same event at different times, so it's fine? (From a syslog POV).
For BSD at least, the syslog(3) call is made in libc where the date/time part is formatted before sending to the syslog socket.
If we assume that glibc is the same, then changing the logger will have zero effect. |
Well, in this case the timestamps are wrong, upstream confirmed it https://github.com/balabit/syslog-ng/issues/766#issuecomment-158874323
But the origin question is still - which *other* logger fits my needs ? |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3745
Location: Hamburg
|
|
| Back to top |
|
|
Syl20
Guru
Joined: 04 Aug 2005
Posts: 568
Location: France
|
| Posted: Mon Jan 25, 2016 5:27 pm Post subject: |
|
|
| Rsyslog is a little more rustic, but you can set filters too. |
|
| Back to top |
|
|
|
Networking & Security
