A simple problem that I just can't get to the bottom of: I'm running CentOS v 5.X. The date/time logging in /var/log/secure looks like this: 2010-10-25T17:10:55.612309+01:00 hostname sshd[25760]: Did not receive identification string from XXX.XXX.XXX.XXX 2010-10-25T17:11:25.429817+01:00 hostname sshd[25762]: Did not receive identification string from XXX.XXX.XXX.XXX 2010-10-25T17:11:55.416327+01:00 hostname sshd[25797]: Did not receive identification string from XXX.XXX.XXX.XXX 2010-10-25T17:12:25.472911+01:00 hostname sshd[25800]: Did not receive identification string from XXX.XXX.XXX.XXX However, I want the date/time format to look like this: Oct 24 19:34:57 s0020 su: pam_unix(su-l:session): session opened for user root by user (uid=500) Oct 24 20:12:06 s0020 su: pam_unix(su-l:session): session closed for user user Oct 24 20:12:08 s0020 sshd[6607]: pam_unix(sshd:session): session closed for user user I must be really dense today Can anyone enlighten me?
Feeling a little less dense today. Here's the answer. For Centos 5.X running rsyslogd: Add the line in red below to the top of /etc/rsyslog.conf $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n" Still in /etc/rsyslog.conf, add ;TraditionalFormat to the line dealing with the /var/log/secure log file: # The authpriv file has restricted access. authpriv.* /var/log/secure;TraditionalFormat Restart rsyslogd with: # service rsyslog restart The contents of /var/log/secure now read: Oct 26 10:20:25 vhost sshd[10487]: Did not receive identification string from XXX.XXX.XXX.XXX Oct 26 10:20:55 vhost sshd[10553]: Did not receive identification string from XXX.XXX.XXX.XXX Oct 26 10:21:25 vhost sshd[10555]: Did not receive identification string from XXX.XXX.XXX.XXX which is a lot more useable for my purposes
