12-16-2013 10:14 AM
Standard Syslog messages should NOT include the year in the first few fields of a syslog entry. Prior to our upgrade to v.6.1 syslog entries looked like this (emphasis added):
Jan 15 14:11:04 2009 [10.1.10.10] sapd: <326091> <NOTI> |AP email@example.com sapd| AM: Radio Stats: APs=2 STAs=0 Mon-APs=6 Mon-STAs=2
Jan 15 14:11:05 2009 [10.1.10.10] wms: <316094> <WARN> |wms| Could not create entry for station 00:1f:e1:1e:ee:cb
Jan 15 14:11:05 2009 [10.1.10.10] wms: <316094> <WARN> |wms| Could not create entry for station 00:18:de:b2:f7:34
Mar 2 09:10:56 2011 [10.1.253.5] authmgr: <522008> <NOTI> |authmgr| User authenticated: Name=jsmith MAC=c8:bc:c8:29:59:aa IP=100.100.160.249 method=802.1x server=iFolder role=pre-employee
After upgrading to 6.1, the format changed to the correct format (no year)
Nov 14 10:06:56 10.1.143.233 sapd: <404074> <WARN> <10.1.253.5 10.1.253.5> AM 00:24:6c:b0:6c:20: ARM - increasing power cov-index 6/1 tx-power 6 new_rra 6/7
Nov 14 10:08:41 Sandy3600 localdb: <133019> <ERRS> <Sandy3600 10.1.253.5> User 40:6a:ab:1c:9d:77 was not found in the database
Nov 14 10:08:41 Sandy3600 localdb: <133006> <ERRS> <Sandy3600 10.1.253.5> User 40:6a:ab:1c:9d:77 Failed Authentication
Now after upgrading to 6.2, the year is back in the messages.
Dec 12 09:06:34 2013 Sandy3600 localdb: <133006> <ERRS> <Sandy3600 10.15.253.45> User 60:fb:42:3c:18:66 Failed Authentication
Anyone have any idea how to disable the year being included in syslog messages? or why they might have reappeared with the 6.2 upgrade? The year field really messes up our syslog server.
12-17-2013 01:30 AM
I'm happy to be challenged on this, but this is my understanding...
RFC 5424 requires the year.
RFC 3164 (obsolete) doesn't require the year.
So, whether or not it's in there depends what RFC the developer was following.
I don't believe the ability to format or follow as specific variant of RFC (by way of config) exists.
Having said that, doesn't upgrading to 6.2 resolve your issue (which I assume is to do with the syslog server parsing for information/alerting) based on what you've said?
08-07-2014 01:27 PM
What you state is not completly true.
It is correct that RFC 5424 obsoletes RFC 3164 but this also changes a lot of other things.
When you create a syslog server that follows RFC 5424 you have the option to follow one of the 4 following formats for the timestamp field in the message:
When you stick with RFC 3164 the timestamp and following hostname format is very specific defined and doesn't leave any options open. The format MUST me:
Aug 7 17:45:30 hostname
The Aruba controller now does the following and this is very wrong:
Aug 7 17:45:30 2014 hostname
This is as far as I understand it so far after reading both RFC's.
Jan Hugo Prins
08-07-2014 03:48 PM - edited 08-07-2014 03:48 PM
The end result of this is that anyone scratching their head looking for their controller syslogs who is running rsyslog and putting their logs in files based on the hostname should look for files called "2014.*".
There's no super-easy way to fix rsyslog for this nonstandard format. You either have to build your own from source or play crazy games with variable reassignments.
04-28-2016 05:56 PM
I've run into this same issue. The fact that the year is included in the syslog message in its current format messes with the way the syslog server parses the messages.
What's odd is if you look at the messages locally using show log user-debug, for example, the output is here does not include the year and is what I would expect the syslog message to be.
Does anyone have a fix for this issue?