2016-01-27 11:58 GMT+01:00 David Lang <[email protected]>: > On Wed, 27 Jan 2016, Muhammad Asif wrote: > > Hi Geeks, >> >> My snort is not attaching year in logs. I want to forward these logs to >> nex >> server but i want to add year in timestamp. I tried many templates but no >> to avail, result is same like "Jan 27 15:32:17". How can i add year in >> timestamp. >> >> %timegenerated:::date-unixtimestamp% >> %timegenerated:::date-rfc3339% >> %timegenerated:::date-strftime(%Y-%m-%d %H:%M:%S)% >> > > you can't put a year in the timestamp when using a rfc3164 message format, > you can only do it when using the rfc5424 format (RSYSLOG_ForwardFormat as > opposed to RSYSLOG_TraditionalForwardFormat) > > I thought the question is just related to the output end. But note that recent rsyslog can accept a year in RFC3164, because that happens commonly enough. In order to prevent false positives, you need to enable it, though (see pmrfc3164 doc, param is "detect.yearaftertimestamp".
HTH Rainer now, you can put anything you want in the message body, and I format the > message body as JSON so that I can do so and still extract the original > message. > > David Lang > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
