System logs timestamp contains no year
-
All,
I'm using pfSense 2.4.5 CE and am working to get all of the system logs into the ElasticSearch using their common schema. A big part of the schema is data types. For example, a date data type requires a year which the logs don't provide. And yes, I realize I can use syslog receive time but that isn't exactly what I'm looking to use. Anyhow, the logs as they are stored on PFSense (e.g. filter.log, dhcpd.log) have a timestamp missing the year. Here are three log types with the first bit of each log. Notice each does not have a year.
Apr 24 14:35:05 router filterlog:
Apr 20 23:24:58 router dhcpd:
Dec 13 19:17:20 router filterdns:Is there a setting that I can change that will add the year to these logs?
-
I've not studied the PHP code to verify this assumption, but my guess is that the year is not printed to the logs because the underlying logging engine in pfSense at the moment is
clog. This is a binary circular logging system that continually overwrites older portions of the logged data with new data. You can set a size limit for when the overwrite action starts. So, for example, you might configure the circular buffer to have 500 lines. When line #501 is written to the buffer it will actually overwrite line #001 in the buffer and so on. The benefit of this kind of logging subsystem is it can't fill up the disk with logs. The downside is that you only have limited logging history available unless you export the logs elsewhere.So with the above in mind, perhaps the original logic was
clogwould never accumulate enough logged data to make keeping the year worth while. Just a guess ??? I understand your desire to have the year in the exported data, but I'm not sure that's configurable anywhere in pfSense. I will research it a bit more, or perhaps a more seasoned user will chime in with additional info. -
That's the default BSD syslog format (RFC 3164).
On 2.5.0 you have the option of using RFC 5424 format which is probably what you're after.
Remember: Upvote with the ๐ button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp said in System logs timestamp contains no year:
That's the default BSD syslog format (RFC 3164).
On 2.5.0 you have the option of using RFC 5424 format which is probably what you're after.
Thanks Jim for the real answer! It is an underlying OS thing.
-
@jimp Thank you for the reply!
What key value do I add to the PFsense configuration to change syslog formats? Or otherwise, how do I set this? Exporting my configuration and adding to the syslog section <format>rfc5424</format> did not work. That was my guess on how to do it...
This looks to be the commit that added the feature: https://github.com/pfsense/pfsense/commit/b16c3a12c61c117e9c8140b115efc7f9acea96c5
This post has pictures in the gui of how to change it: https://forum.netgate.com/topic/146968/system-logs-format-rsyslog/15# -
Why would you need to manually insert the tag into the config?
Use the GUI option on 2.5.0 to set it, it's under Status > System Logs on the Settings tab. If you're not on 2.5.0, then adding the tag to your configuration won't help.
-
Oh, I see. I'm using the wrong branch!
