Hi
I have a system "ServerA" acting as central rsyslog endpoint. A bunch of hosts forward their syslog logs there.
Some hosts are in different time zone so when logs arrive from those particular hosts appear in +8 hours.
* changing the timezone of the client (system that sends the logs) is not an option.
* i am using RSYSLOG_FileFormat as default template on the central server
I would like "ServerA" to store all incoming logs from the systems according to its local timezone.
The approach I took was to clone RSYSLOG_FileFormat from documentation* and change the property from timereported to timegenerated
template(name="custom_FileFormat" type="list") {
property(name="timegenerated" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
property(name="msg" spifno1stsp="on")
property(name="msg" droplastlf="on")
constant(value="\n")
}
$ActionFileDefaultTemplate custom_FileFormat
That seem to worked however I noticed that with the "timegenerated" modification there are some extra digits added to the timestamp:
# local server time 2022-05-10 06:45:07PDT
# Bellow - unmodified RSYSLOG_FileFormat
2022-05-10T13:41:52-07:00 app1.example.com lab: TEST
# cloned RSYSLOG_FileFormat with timegenerated
2022-05-10T06:45:19.323828-07:00 app2.example.com lab: TEST
1. Is this expected?
2. Is this the best approach to enforce all incoming logs to local server timezone ?
Thanks,
D.
*https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
I have a system "ServerA" acting as central rsyslog endpoint. A bunch of hosts forward their syslog logs there.
Some hosts are in different time zone so when logs arrive from those particular hosts appear in +8 hours.
* changing the timezone of the client (system that sends the logs) is not an option.
* i am using RSYSLOG_FileFormat as default template on the central server
I would like "ServerA" to store all incoming logs from the systems according to its local timezone.
The approach I took was to clone RSYSLOG_FileFormat from documentation* and change the property from timereported to timegenerated
template(name="custom_FileFormat" type="list") {
property(name="timegenerated" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
property(name="msg" spifno1stsp="on")
property(name="msg" droplastlf="on")
constant(value="\n")
}
$ActionFileDefaultTemplate custom_FileFormat
That seem to worked however I noticed that with the "timegenerated" modification there are some extra digits added to the timestamp:
# local server time 2022-05-10 06:45:07PDT
# Bellow - unmodified RSYSLOG_FileFormat
2022-05-10T13:41:52-07:00 app1.example.com lab: TEST
# cloned RSYSLOG_FileFormat with timegenerated
2022-05-10T06:45:19.323828-07:00 app2.example.com lab: TEST
1. Is this expected?
2. Is this the best approach to enforce all incoming logs to local server timezone ?
Thanks,
D.
*https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.