Home / server / Questions / 503566
In Process
Bart B
Asked: 2013-04-30 06:03:03 +0800 CST

Rsyslog unix timestamps on RHEL6

  • 772

I'm trying to get rsyslog on RHEL 6 to render the time the message was logged at as a unix timestamp. I started by read the documentation at http://www.rsyslog.com/doc/property_replacer.html. Since there are are old-style and new-style property options, I next checked my version number:

[root@sourwood remote]# rpm -qa | grep rsyslog
rsyslog-pgsql-5.8.10-6.el6.x86_64
rsyslog-5.8.10-6.el6.x86_64
[root@sourwood remote]#

This implies to me that I am using version 5.8. The docs say to use the new-style property options in versions greater than 6, therefore, I should use the old-style property options.

The top of the section describing the old-style options states that the options listed below exist in versions greater than 5.5.3, since 5.8.10 is greater than 5.5.3 that shouldn't be a problem.

Based on the docs I have created the following template (truncated a little for clarity):

$template proxyTemplate,"%timegenerated:::date-unixtimestamp%|%timegenerated:::date-rfc3339%|...\n"

I then use this template in the following way:

if \
        $programname contains 'squid' \
then    /var/log/remote/squid.log;proxyTemplate

The messages from Squid do get logged, and the rfc3339 formatting is working, but the unix timestamp is not. Here is a truncated sample from the logs:

Apr 29 14:59:09|2013-04-29T14:59:09.443172+01:00|...

Am I doing something wrong? Perhaps I've missed some subtlty? Or have I hit upon a bug?

To be sure to be sure I've also tried with the new-style property options, but to no avail.

rhel6

1 Answers

  1. Unfortunately (because I wanted this as well), the documentation is wrong and the feature actually appeared in version 6.3.8. The following text explains my findings.

    According to the project git repository, the first mention of unixtimestamp occurs in commit b88ba94, which is only present from tag v6.3.8:

    $ git clone git://git.adiscon.com/git/rsyslog.git
$ cd rsyslog
$ git log --reverse  -S 'unixtimestamp' --oneline | head -1
b88ba94 added "date-unixtimestamp" property replacer option to format as a unix timestamp
$ git tag --contains b88ba94
v6.3.10
v6.3.11
v6.3.12
v6.3.8
v6.3.9
v6.4.0
...
$

    I then double checked for the presence of unixtimestamp in the SRPM in case it was backported - but no such luck.

    Finally, if you debug the configuration with the command rsyslogd -c 5 -d -N 1 -f /etc/rsyslog.conf, you can see a warning that rsyslog doesn't know about unixtimestamp:

    $ rsyslogd -c 5 -d -N 1 -f /etc/rsyslog.conf
...
8913.783769999:7f45539b3700: cfline: '$template NagiosPassiveServiceCheck, "%TIMESTAMP:::date-unixtimestamp% PROCESS_SERVICE_CHECK_RESULT;%hostname%;FOO;3;%msg:2:$%\n"'
8913.783783726:7f45539b3700: Invalid field option 'date-unixtimestamp' specified - ignored.
$

    Check the value of the compatibility argument -c that your system is using. This argument can radically change how rsyslog interprets the configuration file, so make sure you develop and debug the configuration with the same level you will be using in production (see /etc/sysconfig/rsyslog to set it).

    As an alternative to rsyslog, it might be worth looking at syslog-ng (available from the EPEL repositories) - which allows you to output messages with timestamps represented as seconds-from-epoch.

    • 3