Re: Syslog messages show three dates

erasedhammer · ‎01-01-2021

Jan 1 11:03:06 sw.local 482: Jan 1 11:02:53: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 172.16.10.2] [localport: 22] at 11:02:53 EST5EDT Fri Jan 1 2021

Switch: 3560x

IOS: 15.2

Why does syslog have three dates? The first date is the only one that I need/want.

Can I change this?

balaji.bandi · ‎01-01-2021

can you show us your syslog config on the device

here is example :

INFRA2#show run | in log
service timestamps log datetime msec
logging trap debugging
logging facility local6
logging host 10.10.9.18

output

*Jan  1 08:25:10.962: %SYS-5-CONFIG_I: Configured from console by console

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎01-01-2021

I think the service timestamps are to blame here?

service timestamps log datetime localtime
aaa authentication login default local
login block-for 1800 attempts 3 within 60
login on-failure log
login on-success log
logging host 172.16.15.3

balaji.bandi · ‎01-01-2021

Is your Syslog stay in the same time zone or different? then worth trying to change, this is not a service impact change so you can tweak and test here. and advice.

service timestamps log datetime localtime

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎01-01-2021

I'm not sure what youre asking? My syslog server and all other messages are in the same timezone and are synchronized to the same NTP server.

I have some automated scripts that parse logs and I would prefer if the syslog messages from this switch did not have three date fields.

balaji.bandi · ‎01-01-2021

if the all-in same zone you should get the message correctly on Syslog server - you can also check this on the device itself generating the same logs or is this logs you see in SYSLOG Server

if the device has correct logs,

syslog only seeing these different logs, then you need to investigate on Syslog, how it writing and adding new context information.

what Syslog server?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

erasedhammer · ‎01-01-2021

The logs I posted originally were from the syslog server

The logs on the switch itself look like this:

Jan 1 11:13:07: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 172.16.10.2] [localport: 22] at 11:13:07 EST5EDT Fri Jan 1 2021

I am using rsyslog. I do see that rsyslog is adding the date and hostname at the start, but the switch is still putting the "at DATE" at the end of the message.

Perhaps I can make rsyslog itself stop putting date and hostname at the start of the message, but an alternative is to make the switch send syslogs as every other device normally would.

Would omitting service timestamps eliminate the timestamp at the beginning of the message?

What can be done to eliminate the date at the end of the message?

erasedhammer · ‎01-01-2021

applying "no service timestamp" eliminated the timestamps at the beginning of syslog messages.

The timestamp at the end of log in and out messages appears to be permanent.

balaji.bandi · ‎01-01-2021

in that case, this is more to do with the below lines : (try remove them and test it)

login on-failure log
login on-success log

some reference :

https://blog.ipspace.net/2006/12/log-terminal-access-to-your-router.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎01-02-2021

Hello,

as far as I recall, timestamps have nothing to do with this syslog message. You can turn off all timestamping on the device, but the syslog would still give you the 'timestamp' at the end. This is because it is an integral part of the message body itself.

So, this 'timestamp' is not really a timestamp, and unfortunately, there is no way to truncate this specific message body to NOT display just the last characters (the 'timestamp').

Hope that makes sense...