SYSLOG with Unix-Epoch plus nano-seconds

[JM-2019]

Hi,
I am new to Vector and have a problem to forward syslog messages to datadog.
When looking in datadog the packets have the timestamp from my vector-system, not from the device where the syslog is send from.

The syslog-messages look like in this format:
<134>1 1639328927.519695901 AAA_BBB flows src=10.221.11.141 dst=12.225.102.103 mac=00:1D:12:23:45:86 protocol=icmp type=8 pattern: 0 all
In my opinion the syslog-source of the vector-system has a problem to transform the "1639328927.519695901" into a valid timestamp.
So it takes the local time.
As you see, I tried to remap the timestamp. But for me it still seems, that the "1639328927.519695901" is not used for the timestamp...

I tried this here:

[sources.syslog]
type = "syslog"
address = "0.0.0.0:514"
mode = "udp"
path = "/path/to/socket"

[transforms.remap]
type = "remap"
inputs = ["syslog"]
source = '''
.ddsource = "meraki-syslog"
'''

[transforms.timestamp]
type = "remap"
inputs = ["remap"]
source = '''
.timestamp, err = format_timestamp(.timestamp, "%s.%f")
'''

[sinks.out]
type = "console" # required
inputs = ["timestamp"] # required
target = "stdout" # optional, default
encoding.codec = "json" # required

[sinks.datadog]
region = "eu"
type = "datadog_logs" # required
inputs = ["timestamp"] # required
api_key = "${DD_API_KEY}" # required
compression = "gzip" # optional, default
encoding.codec = "json" # required
tls.enabled = true
tls.verify_certificate = true # optional, default
tls.verify_hostname = true # optional, default

Many thanks fou your help
Juergen

[spencergilbert]

My first guess is that the formatting is failing, I'd start by checking that:

[transforms.timestamp]
type = "remap"
inputs = ["remap"]
source = '''
.timestamp, err = format_timestamp(.timestamp, "%s.%f")
if err != null {
  log(err, level: "error")
}
'''

[JM-2019]

Hi spencergilbert,

thank you for your answer.
My problem is, that the ".timestamp" in the [transforms.remap] section has already the wrong value, because it was not imported during the "[sources.syslog]" correctly. It is the system time, not the time which is included in the syslog.
So, if I use your code-lines, I am converting the wrong-value. Anyway, your code is working fine. The result is the Unix.Epoch+Nano for the system time....

I am looking for a way, that the [sources.syslog] converts the timestamp in the syslog-message correctly.

Greetings
Juergen

[jszwedko]

Hi @JM-2019 !

As you discovered, Vector won't parse a unix timestamp in that position; it expects a timestamp encoded in syslog format (RFC3164 or RFC5424). What is publishing those syslog messages with timestamps like that?

As a workaround you could, instead of using a syslog source, instead use a socket source that won't do any message parsing and then parse the message yourself in remap (maybe using parse_grok or parse_regex).

[JM-2019]

Hi @jszwedko ,

thankyou for your feedback. I already started with the parse_grok processing. As I am new to Vector, I thought there would be a better way to solve it. The good thing is, that I can solve it with Vector. (Great!) ,-)

Well, the source of this SYSLOG-message is: CISCO Meraki
See here: https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples

Unfortunately I can not change the timestamp format in their cloud-dashboard. But I will open a ticket and ask them, in which RFC this timestamp-format is explained....

Thankyou for your help!
Juergen

[jszwedko]

Thanks for your reply! I do see this in their examples. I'm curious what their response is. If this is a common format, I could see us adding support to Vector to parse it.

[JM-2019]

Sounds good. I will keep you up-to-date. I am afraid, that it will take some days.....