Syslog messages after
09-22-2014 02:08 PM
About a month ago we upgraded to 188.8.131.52 on our Aruba 3600 controllers. Since that time the syslog messages have included the year after the month day and time. Previously the syslogs were boken up by ip (or hostname)/year/month/day and then a log file for every hour. (Full disclosure: this was not my doing but the person before me in this role). The result is that all the logs from the controllers and ap's go to a folder (hostname) called "2014" so the path is now 2014/2014/09/22 has anyone else run into this problem? Have any creative ways to solve this? Eventually I would like to just dump everyting to Splunk but until we by it this is what I have.
Re: Syslog messages after
09-25-2014 06:28 AM - edited 09-25-2014 06:33 AM
Fixing this is an open feature request here:
...you may want to vote it up.
We looked into how to teach rsyslog to deal with this unusual date format, but
it looked like we would have to create our own parser and compile rsyslog from source
in order to do that, or do a prohibitively clever set of variable manipulations in the
config file to reshuffle everything.
The date they are sending now is not complaint with newer syslog date formats that do include the year, nor is is compliant with the older standard which explicitly says not to do the exact thing that that Aruba did here:
It has been seen that some original syslog messages contain a more explicit time stamp in which a 2 character or 4 character year field immediately follows the space terminating the TIMESTAMP. This is not consistent with the original intent of the order and format of the fields. If implementers wish to contain a more specific date and time stamp within the transmitted message, it should be within the CONTENT field. Implementers may wish to utilize the ISO 8601  date and time formats if they want to include more explicit date and time information."