Changing date format in syslog

There are always a new options for the date problem, adding just a couple of lines.
My solution comes adding a file to /etc/rsyslog.d/, for example myrsyslog.conf, then add the format of your choice, mine is:

$template myformat,"%TIMESTAMP:1:10:date-rfc3339% %TIMESTAMP:19:12:date-rfc3339% %syslogtag%%msg%\n"
$ActionFileDefaultTemplate myformat

this will apply the new format to your logs making it easy to parse.

before

Sep  3 12:52:37 whs dhcpcd[477]: wlan0: expired address ...
Sep  3 12:52:37 whs dhcpcd[477]: wlan0: part of Router Advertisement expired
Sep  3 12:52:37 whs dhcpcd[477]: wlan0: deleting route to ...

after

2020-09-03 13:00:49 systemd[1]: rsyslog.service: Succeeded. 
2020-09-03 13:00:49 systemd[1]: Stopped System Logging Service. 
2020-09-03 13:00:49 systemd[1]: Starting System Logging Service...

Even if you found a different solution, I give an answer for others.

Edit your syslog configuration file (On Debian for example: /etc/syslog-ng/syslog-ng.conf).

Then declare a new template like this :

template template_date_format {
    template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC} ${HOST} ${MSGHDR}${MSG}\n");
    template_escape(no);
};

This is an example but you can use different macros according to syslog documentation linked in user9645's answer.

After that, find in this configuration file, all the files you want to change the output format and apply this template to them.

For example, I want to change /var/log/auth.log output format, then I change :

destination d_auth { file("/var/log/auth.log"); };

to :

destination d_auth { file("/var/log/auth.log" template(template_date_format)); };

Then restart syslog (service syslog-ng restart) and try a login to see the changes in your auth.log.


I had the same issue using FreeBSD 9.2 and Zabbix system monitor GUI which cannot handle things like 'Jan' or 'Feb' in the date stamp (!) on the system log messages.

What I did was install the sysutils/syslog-ng port, and use the convert-syslogconf.awk script to migrate my /etc/syslog.conf to /usr/local/etc/syslog-ng.conf (which thankfully seemed to work well with even a fairly complex config) and added this custom formatting template to all the file() destinations:

template t_msgfmt {
    template("${ISODATE} ${HOST} ${FACILITY} ${LEVEL} ${MSGHDR}${MSG}\n");
    template_escape(no);
};

You can find (lots) more formatting info in the syslog-ng manual section 11.1. It is working good for me (so far) hope it helps you!