All geek questions in one place

Change date format in syslog

In any case, can we change the date format in a specific log file recorded in syslog? I do not want to change the way all logs are logged, but only by the log file.

EDIT: I am using syslogd (on FreeBSD)

This is what my file looks like:

Dec 5 07:52:10 Log data 1 Dec 5 07:52:10 Log data 2 Dec 5 07:52:10 Log data 3

This is how I want it to look like this:

 20131205 07:52:10 Log data 1 20131205 07:52:10 Log data 2 20131205 07:52:10 Log data 3

My syslog.conf looks like where / var / log / my _log.log is my log file:

 +@ *.notice;local0.none;local1.none;local2.none;authpriv.none;kern.debug;mail.crit;news.err /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog ftp.info /var/log/xferlog cron.* /var/log/cron *.=debug /var/log/debug.log console.info /var/log/console.log local1.info /var/log/my_log.log
+6
source share
3 answers

I ended up using awk script to run the log file and replaced the date field

 awk '{getDate="date -j -f \"%b %d %H:%M:%S\" \""$1" "$2" "$3"\" \"+%Y%m%d %H:%M:%S\"" while ( ( getDate | getline date ) > 0 ) { } close(getDate); print date,$2,$3,$4,$5}' Temp1 > Temp2
+2
source

Even if you find another solution, I give an answer to others.

Modify the syslog configuration file (in Debian, for example: /etc/syslog-ng/syslog-ng.conf ).

Then declare a new template as follows:

  template template_date_format {
     template ("$ {YEAR} - $ {MONTH} - $ {DAY} $ {HOUR}: $ {MIN}: $ {SEC} $ {HOST} $ {MSGHDR} $ {MSG} \ n");
     template_escape (no);
 };

This is an example, but you can use different macros according to the syslog documentation related to user9645 answer.

After that, find in this configuration file all the files that you want to change the output format, and apply this template to them.

For example, I want to change the output format /var/log/auth.log , then I change:

  destination d_auth {file ("/ var / log / auth.log");  };

to:

  destination d_auth {file ("/ var / log / auth.log" template (template_date_format));  };

Then restart syslog ( service syslog-ng restart ) and try logging in to see the changes in auth.log .

+6
source

I had the same problem using FreeBSD 9.2 and Zabbix a system monitor graphical interface that cannot handle things like 'Jan' or 'Feb' in a date stamp (!) In syslog messages.

What I did was set the sysutils/syslog-ng port and use the convert-syslogconf.awk script to port my /etc/syslog.conf to /usr/local/etc/syslog-ng.conf (which, fortunately, is good worked with a rather complicated configuration) and added this custom formatting template to all file() assignments:

 template t_msgfmt { template("${ISODATE} ${HOST} ${FACILITY} ${LEVEL} ${MSGHDR}${MSG}\n"); template_escape(no); };

More information on formatting can be found in the syslog-ng manual 11.1 section. It works well for me (for now) hope it helps you!

+3
source

Source: https://habr.com/ru/post/959389/

More articles:


All Articles