http://pastebin.com/TzPVzknt The 2 line I have previously seen with hi-res times are 15 and 23
----- Original Message ----- > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of Rodney McKee > > Sent: Monday, July 18, 2011 8:11 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] timereported:::date-rfc3339 > > > > The following log has a restart of auditd and a ssh connection > > during > > the debug run. > > http://pastebin.com/cRPuA1Z8 > > Thanks! Unfortunately, the instrumentation does not provide what I am > looking > for (maybe because of an older build, maybe it's just not there...). > Can you > please also write all messages to a file with RSYSLOG_DebugFormat and > post > that file. > > With 5.8.0, you should probably never see hires, so I am a bit > puzzled. Maybe > auditd does some "interesting" things to the log socket. Note that > rsyslog > expects syslog() API format, but older versions (like 5.8.0) did not > enforce > that. > > Rainer > > > > ----- Original Message ----- > > > > > > > > > > -----Original Message----- > > > > From: [email protected] [mailto:rsyslog- > > > > [email protected]] On Behalf Of Rodney McKee > > > > Sent: Monday, July 18, 2011 7:41 AM > > > > To: rsyslog-users > > > > Subject: Re: [rsyslog] timereported:::date-rfc3339 > > > > > > > > Wow, Rainer, thanks for the quick response. > > > > > > > > So on a local system some processes actually provide a high res > > > > time > > > > that rsyslog then logs as %timereported%. > > > > > > As far as the local sockets is concerned, things should be > > > consistent. If > > > that's not the case, it is best if you provide a debug log -- the > > > log > > > samples > > > just show the result but now how we arrived there :) > > > > > > Rainer > > > > > > Did not realize this would be > > > > happening. I guess that most clients then do not provide the > > > > hi-res > > > > times and this might explain some messages having the time and > > > > most > > > > not: > > > > > > > > Jul 18 14:27:10 2011-07-18T14:27:10+10:00 2011-07- > > > > 18T14:27:10.702529+10:00 The audit daemon is exiting. > > > > Jul 18 14:27:10 2011-07-18T14:27:10.703673+10:00 2011-07- > > > > 18T14:27:10.703673+10:00 audit(1310963230.693:4484770): > > > > audit_pid=0 > > > > old=1773 by auid=4294967295 > > > > Jul 18 14:27:10 2011-07-18T14:27:10.867738+10:00 2011-07- > > > > 18T14:27:10.867738+10:00 audit(1310963230.864:4484771): > > > > auid=672 > > > > op=remove rule key=(null) list=2 res=1 > > > > Jul 18 14:27:10 2011-07-18T14:27:10+10:00 2011-07- > > > > 18T14:27:10.959443+10:00 Warning - freq is non-zero and > > > > incremental > > > > flushing not selected. > > > > Jul 18 14:27:10 2011-07-18T14:27:10+10:00 2011-07- > > > > 18T14:27:10.978467+10:00 Started dispatcher: /sbin/audispd > > > > pid: > > > > 4794 > > > > Jul 18 14:27:10 2011-07-18T14:27:10.981061+10:00 2011-07- > > > > 18T14:27:10.981061+10:00 audit(1310963230.979:4484772): > > > > audit_pid=4792 > > > > old=0 by auid=672 > > > > Jul 18 14:27:10 2011-07-18T14:27:10+10:00 2011-07- > > > > 18T14:27:10.998047+10:00 af_unix plugin initialized > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > -----Original Message----- > > > > > > From: [email protected] [mailto:rsyslog- > > > > > > [email protected]] On Behalf Of Rodney McKee > > > > > > Sent: Monday, July 18, 2011 6:00 AM > > > > > > To: rsyslog-users > > > > > > Subject: [rsyslog] timereported:::date-rfc3339 > > > > > > > > > > > > What effects the recording of milliseconds when using > > > > > > timereported:::date- > > > > > > rfc3339. > > > > > > > > > > This field contains what the sender told us. If the sender > > > > > sent > > > > > no > > > > > ms, we can > > > > > not report them. Rather than to pretend "x.000000" they are > > > > > there, we > > > > > do not > > > > > give them. Note that for the same reason there may be sub-ms > > > > > resolution, like > > > > > us, if that is what the sender reported. > > > > > > > > > > Note that starting with the latest v5-devel version AND a > > > > > recent > > > > > Linux > > > > > kernel, we can ask the system for more precise timestamps on > > > > > messages > > > > > that > > > > > come in via the log socket. > > > > > > > > > > Rainer > > > > > > > > > > > Some log entries get milliseconds and some do not: > > > > > > The template: > > > > > > "%TIMESTAMP% %timereported:::date-rfc3339% > > > > > > %timegenerated:::date- > > > > > > rfc3339% %msg%\n" > > > > > > > > > > > > The output: > > > > > > Jul 18 13:58:30 2011-07-18T13:58:30+10:00 > > > > > > 2011-07-18T13:58:30.723250+10:00 > > > > > > test > > > > > > > > > > > > Am I missing something. > > > > > > > > > > > > Rgds > > > > > > Rodney > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > http://www.rsyslog.com > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > http://www.rsyslog.com > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
