Ahh, I now see it. Look at the raw messages. Lines 7 and 31 are correctly formatted. Lines 15 and 23 have invalid format. With invalid format, interpretation is not guaranteed. Looks like 5.8.0 in that case uses the timestamp of message reception. I suggest to use the current stable, I think it will work somewhat different. Bottom line is that auditd should emit the proper format.
Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Rodney McKee > Sent: Monday, July 18, 2011 8:26 AM > To: rsyslog-users > Subject: Re: [rsyslog] timereported:::date-rfc3339 > > http://pastebin.com/TzPVzknt > The 2 line I have previously seen with hi-res times are 15 and 23 > > ----- Original Message ----- > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of Rodney McKee > > > Sent: Monday, July 18, 2011 8:11 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] timereported:::date-rfc3339 > > > > > > The following log has a restart of auditd and a ssh connection > > > during > > > the debug run. > > > http://pastebin.com/cRPuA1Z8 > > > > Thanks! Unfortunately, the instrumentation does not provide what I am > > looking > > for (maybe because of an older build, maybe it's just not there...). > > Can you > > please also write all messages to a file with RSYSLOG_DebugFormat and > > post > > that file. > > > > With 5.8.0, you should probably never see hires, so I am a bit > > puzzled. Maybe > > auditd does some "interesting" things to the log socket. Note that > > rsyslog > > expects syslog() API format, but older versions (like 5.8.0) did not > > enforce > > that. > > > > Rainer > > > > > > ----- Original Message ----- > > > > > > > > > > > > > -----Original Message----- > > > > > From: [email protected] [mailto:rsyslog- > > > > > [email protected]] On Behalf Of Rodney McKee > > > > > Sent: Monday, July 18, 2011 7:41 AM > > > > > To: rsyslog-users > > > > > Subject: Re: [rsyslog] timereported:::date-rfc3339 > > > > > > > > > > Wow, Rainer, thanks for the quick response. > > > > > > > > > > So on a local system some processes actually provide a high res > > > > > time > > > > > that rsyslog then logs as %timereported%. > > > > > > > > As far as the local sockets is concerned, things should be > > > > consistent. If > > > > that's not the case, it is best if you provide a debug log -- the > > > > log > > > > samples > > > > just show the result but now how we arrived there :) > > > > > > > > Rainer > > > > > > > > Did not realize this would be > > > > > happening. I guess that most clients then do not provide the > > > > > hi-res > > > > > times and this might explain some messages having the time and > > > > > most > > > > > not: > > > > > > > > > > Jul 18 14:27:10 2011-07-18T14:27:10+10:00 2011-07- > > > > > 18T14:27:10.702529+10:00 The audit daemon is exiting. > > > > > Jul 18 14:27:10 2011-07-18T14:27:10.703673+10:00 2011-07- > > > > > 18T14:27:10.703673+10:00 audit(1310963230.693:4484770): > > > > > audit_pid=0 > > > > > old=1773 by auid=4294967295 > > > > > Jul 18 14:27:10 2011-07-18T14:27:10.867738+10:00 2011-07- > > > > > 18T14:27:10.867738+10:00 audit(1310963230.864:4484771): > > > > > auid=672 > > > > > op=remove rule key=(null) list=2 res=1 > > > > > Jul 18 14:27:10 2011-07-18T14:27:10+10:00 2011-07- > > > > > 18T14:27:10.959443+10:00 Warning - freq is non-zero and > > > > > incremental > > > > > flushing not selected. > > > > > Jul 18 14:27:10 2011-07-18T14:27:10+10:00 2011-07- > > > > > 18T14:27:10.978467+10:00 Started dispatcher: /sbin/audispd > > > > > pid: > > > > > 4794 > > > > > Jul 18 14:27:10 2011-07-18T14:27:10.981061+10:00 2011-07- > > > > > 18T14:27:10.981061+10:00 audit(1310963230.979:4484772): > > > > > audit_pid=4792 > > > > > old=0 by auid=672 > > > > > Jul 18 14:27:10 2011-07-18T14:27:10+10:00 2011-07- > > > > > 18T14:27:10.998047+10:00 af_unix plugin initialized > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > -----Original Message----- > > > > > > > From: [email protected] [mailto:rsyslog- > > > > > > > [email protected]] On Behalf Of Rodney McKee > > > > > > > Sent: Monday, July 18, 2011 6:00 AM > > > > > > > To: rsyslog-users > > > > > > > Subject: [rsyslog] timereported:::date-rfc3339 > > > > > > > > > > > > > > What effects the recording of milliseconds when using > > > > > > > timereported:::date- > > > > > > > rfc3339. > > > > > > > > > > > > This field contains what the sender told us. If the sender > > > > > > sent > > > > > > no > > > > > > ms, we can > > > > > > not report them. Rather than to pretend "x.000000" they are > > > > > > there, we > > > > > > do not > > > > > > give them. Note that for the same reason there may be sub-ms > > > > > > resolution, like > > > > > > us, if that is what the sender reported. > > > > > > > > > > > > Note that starting with the latest v5-devel version AND a > > > > > > recent > > > > > > Linux > > > > > > kernel, we can ask the system for more precise timestamps on > > > > > > messages > > > > > > that > > > > > > come in via the log socket. > > > > > > > > > > > > Rainer > > > > > > > > > > > > > Some log entries get milliseconds and some do not: > > > > > > > The template: > > > > > > > "%TIMESTAMP% %timereported:::date-rfc3339% > > > > > > > %timegenerated:::date- > > > > > > > rfc3339% %msg%\n" > > > > > > > > > > > > > > The output: > > > > > > > Jul 18 13:58:30 2011-07-18T13:58:30+10:00 > > > > > > > 2011-07-18T13:58:30.723250+10:00 > > > > > > > test > > > > > > > > > > > > > > Am I missing something. > > > > > > > > > > > > > > Rgds > > > > > > > Rodney > > > > > > > _______________________________________________ > > > > > > > rsyslog mailing list > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > http://www.rsyslog.com > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > http://www.rsyslog.com > > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > http://www.rsyslog.com > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
