On 12 December 2025 11:19:53 GMT, altoid via Dng <dng@???> wrote:
>Hello:
>
>On 11 Dec 2025 at 22:42, Marjorie Roome via Dng wrote:
>
>> ... installed syslog-ng-core ...
>> ... in Devuan Daedalus ...
>> ... it automatically removes rsyslog.
>I very rarely use sysnaptic, just apt update / upgrade.
>I expect it will behave in the same manner. (?)
>
I hope and expect apt, aptitude, etc. will produce a similar clean replacement.
I've only tried it with Synaptic.
Synaptic points out that the two sylogers are strict alternatives ("conflicts with"), just like I can only have one of thunderbird or evolution as my mail client.

>> ... seem to be a drop in replacement ...
>> ... at least for local logging. 
>That's the only logs I know of and look at every so often to check.
>ie: everything under [/var/log].
>
>Q: Noticed any logs missing from your system?
>Logs are my go to place to see what is going on.
>
Not seem any changes (yet), of course rsyslog didn't manage all logs.

>> ... default log entries are started with the BSD date/time ...
>> BSD Date
>> Dec 11 15:55:05
>> ISO Date
>> 2025-12-11T15:55:05+00:00
>For some reason my system logs seem to have different formats:
>

>auth.log -> Dec 12 07:15:01
>user.log -> Dec 12 06:00:59
>boot       -> Fri Dec 12 06:00:58 2025
>trim.log  -> Thu, 11 Dec 2025 07:48:33 -0300
>(not the complete list)

>
>> ... logging with an ISO date you should include ts-
>> format(iso); in the list of global options list in /etc/syslog-
>> ng/sylog-ng.conf.
>[sylog-ng.conf] would get all logs to the *same* format?
>
>I don't mind the BSD format, shorted and easier to read.
>
>My box is just a WS, timezone and year are of no particular interest
>as logs are rotated, zipped and discarded on a standard schedule.
>Should I need anything older than the last five, I have my backups.
>Fortunately, I have never had to resort to them.
>
Whether you use BSD or ISO is largely a personal matter.
I would strongly prefer a timestamp that provided the year.
I just thought it would be helpful to mention what happens when you run a basic replacement.
If you were using ISO previously, as I was, then just substituting syslog-ng will result in a discontinuity in the timestamps in your managed log files.
Where the logs are to be processed by another application then you may need to check if that app has any expectations in this respect. I did this replacement on my desktop machine where I'm, like you, not that fussy. I wanted to know it would work as I expect before I updated my mail server where there are programs such as fail-to-ban that process the logs.

>> ... amended default sylog-ng.conf now in part reads:
>>
>> # First, set some global options.
>> options { chain_hostnames(off); flush_lines(0); use_dns(no);
>> use_fqdn(no);
>>                dns_cache(no); owner("root"); group("adm"); perm(0640);
>>                stats_freq(0); bad_hostname("^gconfd$"); 
>>                ts-format(iso);
>> };
>
>So the stanza for the BSD standard would be this one?
>ie: [ts-format(bsd);]
>
If you are content with the default BSD timestamp you don't need to include anything, if ts-format(iso) is missing then you will get BSD.
If you want something else entirely then you can configure syslog-ng to provide it, and you can do it on a per-output basis, this may be something you want to do if you are exporting the logs from a server to another machine and maybe not to a file - syslog-ng is very flexible.

--
Marjorie