I have installed NAV 3.5.5 on Centos 5.4, and followed the instructions by Roger Aas.
Think this has been an issue in earlier versions too.
The log engine seems to timestamp the syslog messages when the cisco.log file is parsed rather than when the message is generated on the device. Messages in cisco.log has correct timestamp. Look at the sample below:
Cisco.log
Mar 7 11:27:45 host: Mar 7 2010 11:27:47: %SEC-6-IPACCESSLOGP: list fraDMZ denied tcp x.x.x.x(2173) -> y.y.y.y(9100), 1 packet
NAV - Syslog Analyzer
2010-03-07 11:27:00 host SEC-6(6)-IPACCESSLOGP 'list fraDMZ denied tcp x.x.x.x(2171) -> y.y.y.y(9100), 1 packet'
Regards,
Ronny Raudstein
Kvinnherad Kommune
On Sun, 7 Mar 2010 11:34:26 +0100 "ronny.raudstein" ronny.raudstein@kvinnherad.kommune.no wrote:
The log engine seems to timestamp the syslog messages when the cisco.log file is parsed rather than when the message is generated on the device. Messages in cisco.log has correct timestamp. Look at the sample below:
Cisco.log
Mar 7 11:27:45 host: Mar 7 2010 11:27:47: %SEC-6-IPACCESSLOGP: list fraDMZ denied tcp x.x.x.x(2173) -> y.y.y.y(9100), 1 packet
NAV - Syslog Analyzer
2010-03-07 11:27:00 host SEC-6(6)-IPACCESSLOGP 'list fraDMZ denied tcp x.x.x.x(2171) -> y.y.y.y(9100), 1 packet'
Hi Ronny,
the log engine could not possibly have parsed the message at 11:27:00 if the message was logged at 11:27:45. That pretty much rules out your hypothesis.
Looking at the code, though, I can see that the syslog parser ignores the seconds field of the timestamp. Hence, a message logged at 13:37:59 would be saved to the database with a timestamp of 13:37:00.
I've reported this as a bug: https://bugs.launchpad.net/nav/+bug/537220
I wrote a small patch I think fixes the problem, and attached that to the bug report. You can test it if you like :)
-
Morten Brekkevold -
ronny.raudstein