Wireless Access

New Contributor
Posts: 1
Registered: ‎09-03-2013

Syslog date format

Standard Syslog messages should NOT include the year in the first few fields of a syslog entry.  Prior to our upgrade to v.6.1 syslog entries looked like this (emphasis added):

Jan 15 14:11:04 2009 [] sapd[215]: <326091> <NOTI> |AP 1.3.4@ sapd|  AM: Radio Stats: APs=2 STAs=0 Mon-APs=6 Mon-STAs=2
Jan 15 14:11:05 2009 [] wms[521]: <316094> <WARN> |wms|  Could not create entry for station 00:1f:e1:1e:ee:cb
Jan 15 14:11:05 2009 [] wms[521]: <316094> <WARN> |wms|  Could not create entry for station 00:18:de:b2:f7:34
Mar  2 09:10:56 2011 [] authmgr[598]: <522008> <NOTI> |authmgr|  User authenticated: Name=jsmith MAC=c8:bc:c8:29:59:aa IP= method=802.1x server=iFolder role=pre-employee

After upgrading to 6.1, the format changed to the correct format (no year)


Nov 14 10:06:56 sapd[918]: <404074> <WARN> <>  AM 00:24:6c:b0:6c:20: ARM - increasing power cov-index 6/1 tx-power 6 new_rra 6/7
Nov 14 10:08:41 Sandy3600 localdb[1569]: <133019> <ERRS> <Sandy3600>  User 40:6a:ab:1c:9d:77 was not found in the database
Nov 14 10:08:41 Sandy3600 localdb[1569]: <133006> <ERRS> <Sandy3600>  User 40:6a:ab:1c:9d:77 Failed Authentication

Now after upgrading to 6.2, the year is back in the messages. 


Dec 12 09:06:34 2013 Sandy3600 localdb[1764]: <133006> <ERRS> <Sandy3600>  User 60:fb:42:3c:18:66 Failed Authentication


Anyone have any idea how to disable the year being included in syslog messages? or why they might have reappeared with the 6.2 upgrade?  The year field really messes up our syslog server.

Posts: 562
Registered: ‎11-28-2011

Re: Syslog date format

I'm happy to be challenged on this, but this is my understanding...


RFC 5424 requires the year.


RFC 3164 (obsolete) doesn't require the year.


So, whether or not it's in there depends what RFC the developer was following.


I don't believe the ability to format or follow as specific variant of RFC (by way of config) exists.


Having said that, doesn't upgrading to 6.2 resolve your issue (which I assume is to do with the syslog server parsing for information/alerting) based on what you've said?

Kudos appreciated, but I'm not hunting! (ACMX 104)
New Contributor
Posts: 1
Registered: ‎08-07-2014

Re: Syslog date format



What you state is not completly true.

It is correct that RFC 5424 obsoletes RFC 3164 but this also changes a lot of other things.

When you create a syslog server that follows RFC 5424 you have the option to follow one of the 4 following formats for the timestamp field in the message:






When you stick with RFC 3164 the timestamp and following hostname format is very specific defined and doesn't leave any options open. The format MUST me:


Aug  7 17:45:30 hostname


The Aruba controller now does the following and this is very wrong:


Aug  7 17:45:30 2014 hostname


This is as far as I understand it so far after reading both RFC's.


Jan Hugo Prins



Super Contributor I
Posts: 269
Registered: ‎04-04-2014

Re: Syslog date format

[ Edited ]


The end result of this is that anyone scratching their head looking for their controller syslogs who is running rsyslog and putting their logs in files based on the hostname should look for files called "2014.*".


There's no super-easy way to fix rsyslog for this nonstandard format.  You either have to build your own from source or play crazy games with variable reassignments.


New Contributor
Posts: 1
Registered: ‎04-28-2016

Re: Syslog date format

I've run into this same issue. The fact that the year is included in the syslog message in its current format messes with the way the syslog server parses the messages.


What's odd is if you look at the messages locally using show log user-debug, for example, the output is here does not include the year and is what I would expect the syslog message to be.


Does anyone have a fix for this issue?


Search Airheads
Showing results for 
Search instead for 
Did you mean: