Syslog-ng Time Format & Time Zone

Question

I'm currently using a fairly old version of syslog-ng, 2.1.4, and yes I know I need to update it as soon as possible, but for now I need help on modifying the date/time format and time zone.

Currently everything comes into syslog-ng and gets dumped to a local directory or sent to another device via UDP. The normal log format is:

May  1 00:00:08 hostname.example.com Here is the full message

For one device I'm forwarding the logs to, they want all time formats to be in UTC and also instead of "May 1", they want it to be "May 01".

destination d_test {
    udp("remote_host.domain.com" port(514) spoof_source(yes) time_zone("UTC")); };

When I do this, I get the following error and the log time doesn't change to the receiving host.

Bogus timezone spec, must be in the format [+-]HH:MM, offset must be less than 24:00; value='UTC'

Is there another way to modify this? As far as the 2 symbol date formats, I've tried a few template options but haven't been able to get the initial portion to change yet.

Answer 1

Try using +04:00 (or whatever your time shift would be to get to UTC) instead of UTC for the time zone.

I don't know of any way to easily just change the day of the month to two digits with syslog-ng, but you can get an ISO 8601 compatible standard timestamp (yyyy-mm-ddThh:mm:ss+-ZONE) by using ISODATE instead of DATE. Those can be easier to parse, which may or may not help you depending on your situation.

You could do something with awk, sed, or perl to go through log files and change the datestamp after the fact, but that seems like it may cause other problems.