I'm trying to change the format of date/time stamps in 
/var/log/appfirewall, and so far haven't figure it out. 

Currently, lines in the log are in this format:

Mar  3 11:48:31 server Firewall[459]:  1130 Accept TCP 
192.23.13.112:58304 10.0.0.1:23 in via en0

What I would like is to change the date/time stamp to something like: 

YYYY-MM-DD HH:MM:SS

in /etc/syslog.conf, I see this entry:

local0.*       /var/log/appfirewall.log

And I see in the syslog manual that you could use the "-T utc" or -u 
switches to control the format of time stamps. The syslog facility is 
for sending and reading messages though. So it seems what I would need 
to do is change ipfw such that it sends its messages with the -u switch 
(or the equivalent). 

Before I spend any more time looking into this, has anyone here ever 
changed the format of syslog messages? Am I barking up the wrong tree?

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

In article <jollyroger-EEE312.08102624012012@news.individual.net>,
 Jolly Roger <jollyroger@pobox.com> wrote:

> I'm trying to change the format of date/time stamps in 
> /var/log/appfirewall, and so far haven't figure it out. 
> 
> Currently, lines in the log are in this format:
> 
> Mar  3 11:48:31 server Firewall[459]:  1130 Accept TCP 
> 192.23.13.112:58304 10.0.0.1:23 in via en0
> 
> What I would like is to change the date/time stamp to something like: 
> 
> YYYY-MM-DD HH:MM:SS
> 
> in /etc/syslog.conf, I see this entry:
> 
> local0.*       /var/log/appfirewall.log
> 
> And I see in the syslog manual that you could use the "-T utc" or -u 
> switches to control the format of time stamps. The syslog facility is 
> for sending and reading messages though. So it seems what I would need 
> to do is change ipfw such that it sends its messages with the -u switch 
> (or the equivalent). 
> 
> Before I spend any more time looking into this, has anyone here ever 
> changed the format of syslog messages? Am I barking up the wrong tree?

got code?

Seriously, unless you run your own version of the logging system and 
write your own log files, I think you're trying to piss up a swinging 
rope here.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]

In article <vilain-F4CF32.21060524012012@news.individual.net>,
 Michael Vilain <vilain@NOspamcop.net> wrote:

> In article <jollyroger-EEE312.08102624012012@news.individual.net>,
>  Jolly Roger <jollyroger@pobox.com> wrote:
> 
> > I'm trying to change the format of date/time stamps in 
> > /var/log/appfirewall, and so far haven't figure it out. 
> > 
> > Currently, lines in the log are in this format:
> > 
> > Mar  3 11:48:31 server Firewall[459]:  1130 Accept TCP 
> > 192.23.13.112:58304 10.0.0.1:23 in via en0
> > 
> > What I would like is to change the date/time stamp to something like: 
> > 
> > YYYY-MM-DD HH:MM:SS
> > 
> > in /etc/syslog.conf, I see this entry:
> > 
> > local0.*       /var/log/appfirewall.log
> > 
> > And I see in the syslog manual that you could use the "-T utc" or -u 
> > switches to control the format of time stamps. The syslog facility is 
> > for sending and reading messages though. So it seems what I would need 
> > to do is change ipfw such that it sends its messages with the -u switch 
> > (or the equivalent). 
> > 
> > Before I spend any more time looking into this, has anyone here ever 
> > changed the format of syslog messages? Am I barking up the wrong tree?
> 
> got code?
> 
> Seriously, unless you run your own version of the logging system and 
> write your own log files, I think you're trying to piss up a swinging 
> rope here.

Yeah seems like I'd have to hack ipfw or syslog to get it to do what I 
want. I don't wanna hack either one.

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

On Wed, 25 Jan 2012 05:46:58 -0600, Jolly Roger wrote:

> In article <vilain-F4CF32.21060524012012@news.individual.net>,
>  Michael Vilain <vilain@NOspamcop.net> wrote:
> 
>> In article <jollyroger-EEE312.08102624012012@news.individual.net>,
>>  Jolly Roger <jollyroger@pobox.com> wrote:
>> 
>> > I'm trying to change the format of date/time stamps in
>> > /var/log/appfirewall, and so far haven't figure it out.
>> > 
>> > Currently, lines in the log are in this format:
>> > 
>> > Mar  3 11:48:31 server Firewall[459]:  1130 Accept TCP
>> > 192.23.13.112:58304 10.0.0.1:23 in via en0
>> > 
>> > What I would like is to change the date/time stamp to something like:
>> > 
>> > YYYY-MM-DD HH:MM:SS
>> > 
>> > in /etc/syslog.conf, I see this entry:
>> > 
>> > local0.*       /var/log/appfirewall.log
>> > 
>> > And I see in the syslog manual that you could use the "-T utc" or -u
>> > switches to control the format of time stamps. The syslog facility is
>> > for sending and reading messages though. So it seems what I would
>> > need to do is change ipfw such that it sends its messages with the -u
>> > switch (or the equivalent).
>> > 
>> > Before I spend any more time looking into this, has anyone here ever
>> > changed the format of syslog messages? Am I barking up the wrong
>> > tree?
>> 
>> got code?
>> 
>> Seriously, unless you run your own version of the logging system and
>> write your own log files, I think you're trying to piss up a swinging
>> rope here.
> 
> Yeah seems like I'd have to hack ipfw or syslog to get it to do what I
> want. I don't wanna hack either one.

A bit of searching late last night brought me suggestions of using syslog-
ng or rsyslog. Sorry I didn't get any further because I was tired.

<http://www.balabit.com/network-security/syslog-ng/opensource-logging-
system>

syslog-ng links to OS X binaries:

<http://www.balabit.com/network-security/syslog-ng/opensource-logging-
system/downloads/3rd_party>

rsyslog. The following post notes that various other utilities depend on 
the syslog format, and advises keeping separate copies of custom format 
logs:

<http://www.mail-archive.com/postfix-users@postfix.org/msg34782.html>


-- 
Paul Sture

In article <g9m5v8-dcb1.ln1@news.sture.ch>, Paul Sture <paul@sture.ch> 
wrote:

> On Wed, 25 Jan 2012 05:46:58 -0600, Jolly Roger wrote:
> 
> > In article <vilain-F4CF32.21060524012012@news.individual.net>,
> >  Michael Vilain <vilain@NOspamcop.net> wrote:
> > 
> >> In article <jollyroger-EEE312.08102624012012@news.individual.net>,
> >>  Jolly Roger <jollyroger@pobox.com> wrote:
> >> 
> >> > I'm trying to change the format of date/time stamps in
> >> > /var/log/appfirewall, and so far haven't figure it out.
> >> > 
> >> > Currently, lines in the log are in this format:
> >> > 
> >> > Mar  3 11:48:31 server Firewall[459]:  1130 Accept TCP
> >> > 192.23.13.112:58304 10.0.0.1:23 in via en0
> >> > 
> >> > What I would like is to change the date/time stamp to something like:
> >> > 
> >> > YYYY-MM-DD HH:MM:SS
> >> > 
> >> > in /etc/syslog.conf, I see this entry:
> >> > 
> >> > local0.*       /var/log/appfirewall.log
> >> > 
> >> > And I see in the syslog manual that you could use the "-T utc" or -u
> >> > switches to control the format of time stamps. The syslog facility is
> >> > for sending and reading messages though. So it seems what I would
> >> > need to do is change ipfw such that it sends its messages with the -u
> >> > switch (or the equivalent).
> >> > 
> >> > Before I spend any more time looking into this, has anyone here ever
> >> > changed the format of syslog messages? Am I barking up the wrong
> >> > tree?
> >> 
> >> got code?
> >> 
> >> Seriously, unless you run your own version of the logging system and
> >> write your own log files, I think you're trying to piss up a swinging
> >> rope here.
> > 
> > Yeah seems like I'd have to hack ipfw or syslog to get it to do what I
> > want. I don't wanna hack either one.
> 
> A bit of searching late last night brought me suggestions of using syslog-
> ng or rsyslog. Sorry I didn't get any further because I was tired.
> 
> <http://www.balabit.com/network-security/syslog-ng/opensource-logging-
> system>
> 
> syslog-ng links to OS X binaries:
> 
> <http://www.balabit.com/network-security/syslog-ng/opensource-logging-
> system/downloads/3rd_party>
> 
> rsyslog. The following post notes that various other utilities depend on 
> the syslog format, and advises keeping separate copies of custom format 
> logs:
> 
> <http://www.mail-archive.com/postfix-users@postfix.org/msg34782.html>

This was what I was thinking when JR posted.  Thanks for doing the leg 
work Paul.  I bow to your superior googlefu

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]

In article <g9m5v8-dcb1.ln1@news.sture.ch>, Paul Sture <paul@sture.ch> 
wrote:

> On Wed, 25 Jan 2012 05:46:58 -0600, Jolly Roger wrote:
> 
> > In article <vilain-F4CF32.21060524012012@news.individual.net>,
> >  Michael Vilain <vilain@NOspamcop.net> wrote:
> > 
> >> In article <jollyroger-EEE312.08102624012012@news.individual.net>,
> >>  Jolly Roger <jollyroger@pobox.com> wrote:
> >> 
> >> > I'm trying to change the format of date/time stamps in
> >> > /var/log/appfirewall, and so far haven't figure it out.
> >> > 
> >> > Currently, lines in the log are in this format:
> >> > 
> >> > Mar  3 11:48:31 server Firewall[459]:  1130 Accept TCP
> >> > 192.23.13.112:58304 10.0.0.1:23 in via en0
> >> > 
> >> > What I would like is to change the date/time stamp to something like:
> >> > 
> >> > YYYY-MM-DD HH:MM:SS
> >> > 
> >> > in /etc/syslog.conf, I see this entry:
> >> > 
> >> > local0.*       /var/log/appfirewall.log
> >> > 
> >> > And I see in the syslog manual that you could use the "-T utc" or -u
> >> > switches to control the format of time stamps. The syslog facility is
> >> > for sending and reading messages though. So it seems what I would
> >> > need to do is change ipfw such that it sends its messages with the -u
> >> > switch (or the equivalent).
> >> > 
> >> > Before I spend any more time looking into this, has anyone here ever
> >> > changed the format of syslog messages? Am I barking up the wrong
> >> > tree?
> >> 
> >> got code?
> >> 
> >> Seriously, unless you run your own version of the logging system and
> >> write your own log files, I think you're trying to piss up a swinging
> >> rope here.
> > 
> > Yeah seems like I'd have to hack ipfw or syslog to get it to do what I
> > want. I don't wanna hack either one.
> 
> A bit of searching late last night brought me suggestions of using syslog-
> ng or rsyslog. Sorry I didn't get any further because I was tired.
> 
> <http://www.balabit.com/network-security/syslog-ng/opensource-logging-
> system>
> 
> syslog-ng links to OS X binaries:
> 
> <http://www.balabit.com/network-security/syslog-ng/opensource-logging-
> system/downloads/3rd_party>
> 
> rsyslog. The following post notes that various other utilities depend on 
> the syslog format, and advises keeping separate copies of custom format 
> logs:
> 
> <http://www.mail-archive.com/postfix-users@postfix.org/msg34782.html>

Thanks. : ( That seems like way more work than I want to put into it. I 
dislike the date format in this particular log, but not enough to go 
through the trouble of replacing syslog and maintaining that replacement 
as OS updates roll out. Thanks for the info though!

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

In article <jollyroger-2129F9.12591626012012@news.individual.net>,
 Jolly Roger <jollyroger@pobox.com> wrote:

> In article <g9m5v8-dcb1.ln1@news.sture.ch>, Paul Sture <paul@sture.ch> 
> wrote:
> 
> > On Wed, 25 Jan 2012 05:46:58 -0600, Jolly Roger wrote:
> > 
> > > In article <vilain-F4CF32.21060524012012@news.individual.net>,
> > >  Michael Vilain <vilain@NOspamcop.net> wrote:
> > > 
> > >> In article <jollyroger-EEE312.08102624012012@news.individual.net>,
> > >>  Jolly Roger <jollyroger@pobox.com> wrote:
> > >> 
> > >> > I'm trying to change the format of date/time stamps in
> > >> > /var/log/appfirewall, and so far haven't figure it out.
> > >> > 
> > >> > Currently, lines in the log are in this format:
> > >> > 
> > >> > Mar  3 11:48:31 server Firewall[459]:  1130 Accept TCP
> > >> > 192.23.13.112:58304 10.0.0.1:23 in via en0
> > >> > 
> > >> > What I would like is to change the date/time stamp to something like:
> > >> > 
> > >> > YYYY-MM-DD HH:MM:SS
> > >> > 
> > >> > in /etc/syslog.conf, I see this entry:
> > >> > 
> > >> > local0.*       /var/log/appfirewall.log
> > >> > 
> > >> > And I see in the syslog manual that you could use the "-T utc" or -u
> > >> > switches to control the format of time stamps. The syslog facility is
> > >> > for sending and reading messages though. So it seems what I would
> > >> > need to do is change ipfw such that it sends its messages with the -u
> > >> > switch (or the equivalent).
> > >> > 
> > >> > Before I spend any more time looking into this, has anyone here ever
> > >> > changed the format of syslog messages? Am I barking up the wrong
> > >> > tree?
> > >> 
> > >> got code?
> > >> 
> > >> Seriously, unless you run your own version of the logging system and
> > >> write your own log files, I think you're trying to piss up a swinging
> > >> rope here.
> > > 
> > > Yeah seems like I'd have to hack ipfw or syslog to get it to do what I
> > > want. I don't wanna hack either one.
> > 
> > A bit of searching late last night brought me suggestions of using syslog-
> > ng or rsyslog. Sorry I didn't get any further because I was tired.
> > 
> > <http://www.balabit.com/network-security/syslog-ng/opensource-logging-
> > system>
> > 
> > syslog-ng links to OS X binaries:
> > 
> > <http://www.balabit.com/network-security/syslog-ng/opensource-logging-
> > system/downloads/3rd_party>
> > 
> > rsyslog. The following post notes that various other utilities depend on 
> > the syslog format, and advises keeping separate copies of custom format 
> > logs:
> > 
> > <http://www.mail-archive.com/postfix-users@postfix.org/msg34782.html>
> 
> Thanks. : ( That seems like way more work than I want to put into it. I 
> dislike the date format in this particular log, but not enough to go 
> through the trouble of replacing syslog and maintaining that replacement 
> as OS updates roll out. Thanks for the info though!

This was my initial thought when you posted JR.  Changing a system 
component of an OS means you have to maintain that component for the 
life of the system, checking that it will work through every patch and 
upgrade.  When I managed Solaris systems, I tried to make as little 
changes as possible to Solaris.  Thankfully, it was designed this way as 
is MacOS X.

You could write a perl script that formats the files the way you want so 
you can look at them through your utility rather than viewing the raw 
files.  I did this a lot, building custom tools that told me what I 
needed to know about the systems I was managing in a single 'page' of 
text (about 50 lines).

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]

In article <vilain-473A16.16041127012012@news.individual.net>,
 Michael Vilain <vilain@NOspamcop.net> wrote:

> In article <jollyroger-2129F9.12591626012012@news.individual.net>,
>  Jolly Roger <jollyroger@pobox.com> wrote:
> 
> > Thanks. : ( That seems like way more work than I want to put into it. I 
> > dislike the date format in this particular log, but not enough to go 
> > through the trouble of replacing syslog and maintaining that replacement 
> > as OS updates roll out. Thanks for the info though!
> 
> This was my initial thought when you posted JR.  Changing a system 
> component of an OS means you have to maintain that component for the 
> life of the system, checking that it will work through every patch and 
> upgrade.  When I managed Solaris systems, I tried to make as little 
> changes as possible to Solaris.  Thankfully, it was designed this way as 
> is MacOS X.

Indeed. I do have custom installations of certain things on this system 
that I must maintain through the life of the machine, through system 
updates/upgrades, and so on. I'm just not sure I want to add this 
particular piece to that puzzle.  : )
 
> You could write a perl script that formats the files the way you want so 
> you can look at them through your utility rather than viewing the raw 
> files.  I did this a lot, building custom tools that told me what I 
> needed to know about the systems I was managing in a single 'page' of 
> text (about 50 lines).

That's an idea. Still not sure I want to invest that much time and 
energy into it. I tend to be a bit of a perfectionist - especially when 
it comes to software / scripts I write for myself at home. So I can see 
this taking a good bit of my time to get just the way I want.  ; )

-- 
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR

In article <jollyroger-50CE3E.08274428012012@news.individual.net>,
 Jolly Roger <jollyroger@pobox.com> wrote:

> In article <vilain-473A16.16041127012012@news.individual.net>,
>  Michael Vilain <vilain@NOspamcop.net> wrote:
> 
> > In article <jollyroger-2129F9.12591626012012@news.individual.net>,
> >  Jolly Roger <jollyroger@pobox.com> wrote:
> > 
> > > Thanks. : ( That seems like way more work than I want to put into it. I 
> > > dislike the date format in this particular log, but not enough to go 
> > > through the trouble of replacing syslog and maintaining that replacement 
> > > as OS updates roll out. Thanks for the info though!
> > 
> > This was my initial thought when you posted JR.  Changing a system 
> > component of an OS means you have to maintain that component for the 
> > life of the system, checking that it will work through every patch and 
> > upgrade.  When I managed Solaris systems, I tried to make as little 
> > changes as possible to Solaris.  Thankfully, it was designed this way as 
> > is MacOS X.
> 
> Indeed. I do have custom installations of certain things on this system 
> that I must maintain through the life of the machine, through system 
> updates/upgrades, and so on. I'm just not sure I want to add this 
> particular piece to that puzzle.  : )
>  
> > You could write a perl script that formats the files the way you want so 
> > you can look at them through your utility rather than viewing the raw 
> > files.  I did this a lot, building custom tools that told me what I 
> > needed to know about the systems I was managing in a single 'page' of 
> > text (about 50 lines).
> 
> That's an idea. Still not sure I want to invest that much time and 
> energy into it. I tend to be a bit of a perfectionist - especially when 
> it comes to software / scripts I write for myself at home. So I can see 
> this taking a good bit of my time to get just the way I want.  ; )

It could be worse. You could be watching AMERICAN IDOL or SURVIVOR 
instead.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]