Normally a syslog server does not do anything with the timestamp in your log, think more of it like a long text line which include the time as seen by the device. Many syslog servers include their own timestamp when received as you should not trust the timestamp in log message because it's hard to tell how well the clock is in sync. The time on the receiving syslog server is the same for all syslog sources, so it's the better choice to reference.
What you can see in the packet capture is that both the syslog facility (LOCAL0 s LOCAL7) and the level (WARNING vs INFO) are different, and those are likely to determine if and where the receiving syslog server is writing your logs. I think it's quite unlikely that the time format in the syslog message has anything to do with that.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Oct 24, 2023 11:55 AM
From: cdias
Subject: Format of timestamp in syslog messages
Hi Carson,
Thanks for the update.
As I said I think this configurations are more related to how the system saves the logs.
But my problem is a bit different. I have several systems sending syslog messages to a rsyslog server.
For all of them the system saves the messages at the directory where I configured them.
But there is a system that I can see I receive the messages (using tcpdump), but the messages are not stored.
Is there a place I can see why? I imagines it was because of a different time stamp.
Regards
_______________________
Carlos Dias
Technical Consultant
Original Message:
Sent: 10/24/2023 9:51:00 AM
From: chulcher
Subject: RE: Format of timestamp in syslog messages
This still looks like something that can be handled on the rsyslog side using a parser.
https://www.rsyslog.com/doc/master/whitepapers/syslog_parsing.html
https://www.rsyslog.com/doc/master/configuration/property_replacer.html
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Oct 24, 2023 05:32 AM
From: cdias
Subject: Format of timestamp in syslog messages
Hi Carson
I have already come across with those profiles, but from my understanding it only changes the way I save the logs.
My problem is different, the remote system sends logs in a format that rsyslog down not understand and does not save it.
I am sure the server received the logs because I did a tcpdump, but the logs are not saved.
For example a device that the server saves the log messages:
And an example of a device that send the logs, but they are not saved:
Regards
_______________________
Carlos Dias
Technical Consultant
Original Message:
Sent: 10/23/2023 2:16:00 PM
From: chulcher
Subject: RE: Format of timestamp in syslog messages
I would recommend looking into how rsyslog can interpret or modify the incoming information.
https://stackoverflow.com/questions/75978447/rsyslog-convert-msg-timestamp-to-rfc3339-format
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Oct 23, 2023 12:30 PM
From: cdias
Subject: Format of timestamp in syslog messages
Hi,
Am am running a iAP cluster with release 8.7.1.1_78245
I am sending the logs to a rsyslog Linux server
The problem is that the time format is not what I need.
The message should start by for example 2023-10.23T10:34:36, but iAPs send Oct 23 17:25:18 2023
This is not ISO and confuses rsyslog
Can someone advise?
Thanks