Package: rsyslog Version: 8.2302.0-1 Severity: important Dear Maintainer,
I'm using rsyslog to log local events and remote events to the same log. For this I've enabled UDP receiving. The main machine is the host, while the other machines logging via UDP are virtual machines running on that host. The network carrying the syslog traffic is not visible outside the host machine. The version of rsyslog in Debian stable now uses the new international timestamp format by default. Unfortunately this format differs for local and remote logs. The local machine by default logs in the following format: 2024-02-16T22:05:52.315463+01:00 tux [...] while a machine logging via UDP appears like this: 2024-02-16T22:06:02+01:00 tux1 [...] Please observe that the sub-seconds part of the timestamp is not included in the remote logs. Unfortunately this causes logcheck to completely ignore all the remote logs because it matches on a 32-byte timestamp (and the timestamp of the remote machine only has 25 byte). I had to revert to the old 'traditional' log format (which was the default in previous versions of syslog shipped by Debian) with the following config line: $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat You will have to remove that line from the appended config file for reproducing the issue. Fortunately the old 'traditional' format is still supported by logcheck. Expected behavior: The timestamp format logcheck produces with the default configuration should be made the same for local and remote logs. -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-18-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rsyslog depends on: ii libc6 2.36-9+deb12u4 ii libestr0 0.1.11-1 ii libfastjson4 1.2304.0-1 ii liblognorm5 2.0.6-4 ii libsystemd0 252.22-1~deb12u1 ii libuuid1 2.38.1-5+b1 ii libzstd1 1.5.4+dfsg2-5 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages rsyslog recommends: ii logrotate 3.21.0-1 Versions of packages rsyslog suggests: pn rsyslog-doc <none> pn rsyslog-gssapi <none> pn rsyslog-mongodb <none> pn rsyslog-mysql | rsyslog-pgsql <none> pn rsyslog-openssl | rsyslog-gnutls <none> pn rsyslog-relp <none> -- Configuration Files: /etc/rsyslog.conf changed: module(load="imuxsock") # provides support for local system logging module(load="imklog") # provides kernel logging support module(load="imudp") input(type="imudp" port="514") $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $WorkDirectory /var/spool/rsyslog $IncludeConfig /etc/rsyslog.d/*.conf *.*;auth,authpriv.none -/var/log/syslog auth,authpriv.* /var/log/auth.log cron.* -/var/log/cron.log kern.* -/var/log/kern.log mail.* -/var/log/mail.log user.* -/var/log/user.log -- no debconf information