Changing Date Format in Syslog

Last updated: March 18, 2024

Reviewed by: Korbin Brown

1. Introduction

syslog timestamps come in two forms: high-precision timestamps and low-precision timestamps. While the high-precision timestamps come in the ISO 8601 format, the low-precision timestamps come as MMM dd HH:mm:ss (month in words, day and time in numbers).

Low-precision timestamps favor readability. On the other hand, the high-precision format offers more details about the time of the log. So, if we want our logs to be readily readable, we’ll opt for the low-precision timestamp. But if we want to know more about when the log event happened, we’ll use the high-precision timestamp.

So, how do we change the timestamp format in syslog? In this tutorial, we’ll talk about how to change the date format in syslog. We’ll also go over the rsyslog.conf file.

2. The rsyslog.conf File

The rsyslog.conf file is the configuration file for the rsyslog utility. It contains logging modules, logging rules, global directives for logging, logging templates, and pretty much any logging-related config. Knowing this, we can format the date – as well as the timestamp – of our logs by editing the rsyslog.conf file.

3. Changing to Low-Precision Format

syslog uses a global directive called $ActionFileDefaultTemplate to define its log template. Then, the specified template determines the log file format, including the timestamp format.

syslog comes with various reserved/built-in templates. Some of them use the low-precision timestamp format, and others use the high-precision format. Depending on what we’re going for, we can specify any of them using the $ActionFileDefaultTemplate global directive.

Of course, the existence of reserved templates implies that we can create custom templates. However, we’ll only use reserved templates in this tutorial.

We can use the low-precision format for our logs by specifying any of these reserved templates:

  • RSYSLOG_TraditionalFileFormat
  • RSYSLOG_TraditionalForwardFormat (This is used when forwarding logs to rsyslogd below v3.12.5 and other syslogd variants)

Since we won’t be forwarding our logs, we’ll use the RSYSLOG_TraditionalFileFormat template.

Let’s open the rsyslog.conf file:

$ sudo cat /etc/rsyslog.conf
...truncated...
###########################
#### GLOBAL DIRECTIVES ####
###########################
...truncated...
$ActionFileDefaultTemplate
...truncated...

Then we’ll specify RSYSLOG_TraditionalFileFormat as the default log template:

$ sudo cat /etc/rsyslog.conf
...truncated...
###########################
#### GLOBAL DIRECTIVES ####
###########################
...truncated...
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
...truncated...

Now, let’s restart syslog so the change can take effect:

$ sudo systemctl restart syslog

In our rsyslog configuration file above, the $ActionFileDefaultTemplate is set to RSYSLOG_TraditionalForwardFormat. So, our logs will now use the low-precision timestamp (month in words, day in numbers).

Here’s our daemon.log file showing a low-precision timestamp:

$ sudo cat /var/log/daemon.log
...truncated...
Mar 29 16:34:49 localhost dhclient[435]: bound to 192.168.56.4 -- renewal in 237 seconds.

4. Changing to High-Precision Format

We can switch from the low-precision format to the high-precision format in two ways:

  • Comment the $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat config block.
  • Replace RSYSLOG_TraditionalForwardFormat with a high-precision timestamp template.

4.1. Commenting the $ActionFileDefaultTemplate Config

Commenting out the $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat config block in rsyslog.conf automatically changes the log file template to RSYSLOG_FileFormat. Since RSYSLOG_FileFormat uses the high-precision format, our date will now be logged according to the ISO 8601 standard.

So, let’s comment out the $ActionFileDefaultTemplate config in our rsyslog.conf file:

$ sudo cat /etc/rsyslog.conf
...truncated...
###########################
#### GLOBAL DIRECTIVES ####
###########################
...truncated...
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
...truncated...

We’ll restart syslog to activate the change:

$ sudo systemctl restart syslog

Here’s what our daemon.log looks like now:

$ sudo cat /var/log/daemon.log
...truncated...
2023-03-29T20:35:12.006126+01:00 localhost systemd[1]: Started System Logging Service.

4.2. Using a High-Precision Log File Template

As with low-precision timestamps, we can specify any of the following templates to switch to high-precision timestamps:

  • RSYSLOG_FileFormat
  • RSYSLOG_ForwardFormat (This is used for forwarding logs to rsyslogd v3.12.5 and above)

We’ll use the RSYSLOG_FileFormat template since we’re not forwarding our logs.

Now, let’s edit our rsyslog.conf:

$ sudo cat /etc/rsyslog.conf
...truncated...
###########################
#### GLOBAL DIRECTIVES ####
###########################
...truncated...
$ActionFileDefaultTemplate RSYSLOG_FileFormat
...truncated...

Now, we restart syslog:

$ sudo systemctl restart syslog

Then we check our daemon.log:

$ sudo cat /var/log/daemon.log
...truncated...
2023-03-29T22:24:41.836617+01:00 localhost systemd[1]: Started System Logging Service.

The format remains high-precision.

5. Conclusion

In this article, we talked about how to switch between the low-precision timestamp format and the high-precision timestamp format of syslog. It also briefly looked into what the rsyslog.conf file does.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.