rsyslog template date/time format with seconds

server log logging rsyslog

10,205

Solution 1

The variables $year, $day, ... $minute refer to the current time. You rather want the timestamp when the event was generated or reported (see here for the difference). The properties timegenerated and timereported (==timestamp) allow for further processing (i.e. you can pick certain fields from these properties). You cannot pick the seconds from the current time but only from the two timestamps mentioned above. So:

template(name="sambalog" type="string"
    string="%timereported:::date-year%-%timereported:::date-month%-%timereported:::date-day% %timereported:::date-hour%:%timereported:::date-minute%:%timereported:::date-second% %HOSTNAME% %app-name% %msg%\n")

Whoa, this is a very long line and instead of defining the template as a string you can also define it as a list. The behaviour is the same, just the definition is different and allows for linebrakes and comments in-between. Maybe that improves readability:

template(name="sambalog_list" type="list") {
    property(name="timereported" dateFormat="year")
    constant(value="-")
    property(name="timereported" dateFormat="month")
    constant(value="-")
    property(name="timereported" dateFormat="day")
    constant(value=" ")
    property(name="timereported" dateFormat="hour")
    constant(value=":")
    property(name="timereported" dateFormat="minute")
    constant(value=":")
    property(name="timereported" dateFormat="second")
    constant(value=" ")
    property(name="hostname")
    constant(value=" ")
    property(name="app-name")
    property(name="msg" spifno1stsp="on" ) # add space if $msg doesn't start with one
    property(name="msg" droplastlf="on" )  # remove trailing \n from $msg if there is one   
    constant(value="\n")
}

if $programname == 'smbd_audit' then /var/log/so-test.log;sambalog_list

When I put the above into /etc/rsyslog.d/so.conf and then systemctl restart syslog.service and eventually issue

logger -t smbd_audit "Hello, $RANDOM"

then the file /var/log/so-test.log contains:

2018-10-12 22:14:12 myhost smbd_audit Hello, 15793

Solution 2

According to the rsyslog docs:

The text between percent signs (‘%’) is interpreted by the rsyslog property replacer.

and the property replacer docs say:

date-second

just the second part (2-digit) of a timestamp

So you should be able to put in %second% or %date-second% into your template to list the seconds.

10,205

tenjohn

Updated on September 18, 2022

Comments

tenjohn over 1 year
My current template configuration of rsyslog looks like this:

/etc/rsyslog.d/00-samba-audit.conf
```
template(name="sambalog" type="string"
 string="%$year%-%$month%-%$day% %$hour%:%$minute% %HOSTNAME% %app-name% %msg%\n")

if $programname == 'smbd_audit' then /var/log/samba/log.audit;sambalog
```
Sadly for no reason there isn't a variable for the seconds.

Question: How can I make the date/time format to next?

2018-08-09 20:12:58
tenjohn over 5 years

No luck: "invalid property 'second' [v8.32.0 try rsyslog.com/e/2207 ]"
tudor -Reinstate Monica- over 5 years

I presume you tried "date-second"?