I am using it in this way but no to avail. $template linuxbox,"<%pri%> %timegenerated:::date-rfc3164% 172.20.16.25 %syslogtag%%msg%" $template linuxbox,"<%pri%> %timegenerated:::date-rfc5424% 172.20.16.25 %syslogtag%%msg%" $template linuxbox,"<%pri%> %timegenerated:::date-rfc3339% 172.20.16.25 %syslogtag%%msg%"
*.* /var/log/temo.log;linuxbox Thanks On Wed, Jan 27, 2016 at 4:03 PM, Rainer Gerhards <[email protected]> wrote: > 2016-01-27 11:58 GMT+01:00 David Lang <[email protected]>: > > > On Wed, 27 Jan 2016, Muhammad Asif wrote: > > > > Hi Geeks, > >> > >> My snort is not attaching year in logs. I want to forward these logs to > >> nex > >> server but i want to add year in timestamp. I tried many templates but > no > >> to avail, result is same like "Jan 27 15:32:17". How can i add year in > >> timestamp. > >> > >> %timegenerated:::date-unixtimestamp% > >> %timegenerated:::date-rfc3339% > >> %timegenerated:::date-strftime(%Y-%m-%d %H:%M:%S)% > >> > > > > you can't put a year in the timestamp when using a rfc3164 message > format, > > you can only do it when using the rfc5424 format (RSYSLOG_ForwardFormat > as > > opposed to RSYSLOG_TraditionalForwardFormat) > > > > > I thought the question is just related to the output end. But note that > recent rsyslog can accept a year in RFC3164, because that happens commonly > enough. In order to prevent false positives, you need to enable it, though > (see pmrfc3164 doc, param is "detect.yearaftertimestamp". > > HTH > Rainer > > now, you can put anything you want in the message body, and I format the > > message body as JSON so that I can do so and still extract the original > > message. > > > > David Lang > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
