Date/time format in /var/log/secure

[gscott187]

A simple problem that I just can't get to the bottom of:

I'm running CentOS v 5.X. The date/time logging in /var/log/secure looks like this:

2010-10-25T17:10:55.612309+01:00 hostname sshd[25760]: Did not receive identification string from XXX.XXX.XXX.XXX
2010-10-25T17:11:25.429817+01:00 hostname sshd[25762]: Did not receive identification string from XXX.XXX.XXX.XXX
2010-10-25T17:11:55.416327+01:00 hostname sshd[25797]: Did not receive identification string from XXX.XXX.XXX.XXX
2010-10-25T17:12:25.472911+01:00 hostname sshd[25800]: Did not receive identification string from XXX.XXX.XXX.XXX


However, I want the date/time format to look like this:

Oct 24 19:34:57 s0020 su: pam_unix(su-l:session): session opened for user root by user (uid=500)
Oct 24 20:12:06 s0020 su: pam_unix(su-l:session): session closed for user user
Oct 24 20:12:08 s0020 sshd[6607]: pam_unix(sshd:session): session closed for user user

I must be really dense today

Can anyone enlighten me?

[gscott187]

Feeling a little less dense today. Here's the answer. For Centos 5.X running rsyslogd:

Add the line in red below to the top of /etc/rsyslog.conf

$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"

Still in /etc/rsyslog.conf, add ;TraditionalFormat to the line dealing with the /var/log/secure log file:

# The authpriv file has restricted access.
authpriv.* /var/log/secure;TraditionalFormat

Restart rsyslogd with:

# service rsyslog restart


The contents of /var/log/secure now read:

Oct 26 10:20:25 vhost sshd[10487]: Did not receive identification string from XXX.XXX.XXX.XXX
Oct 26 10:20:55 vhost sshd[10553]: Did not receive identification string from XXX.XXX.XXX.XXX
Oct 26 10:21:25 vhost sshd[10555]: Did not receive identification string from XXX.XXX.XXX.XXX

which is a lot more useable for my purposes