Mailing List Archive

enforce all incoming logs with local server time
Hi

I have a system "ServerA" acting as central rsyslog endpoint. A bunch of hosts forward their syslog logs there.

Some hosts are in different time zone so when logs arrive from those particular hosts appear in +8 hours.


* changing the timezone of the client (system that sends the logs) is not an option.
* i am using RSYSLOG_FileFormat as default template on the central server

I would like "ServerA" to store all incoming logs from the systems according to its local timezone.

The approach I took was to clone RSYSLOG_FileFormat from documentation* and change the property from timereported to timegenerated

template(name="custom_FileFormat" type="list") {
property(name="timegenerated" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
property(name="msg" spifno1stsp="on")
property(name="msg" droplastlf="on")
constant(value="\n")
}

$ActionFileDefaultTemplate custom_FileFormat


That seem to worked however I noticed that with the "timegenerated" modification there are some extra digits added to the timestamp:


# local server time 2022-05-10 06:45:07PDT
# Bellow - unmodified RSYSLOG_FileFormat
2022-05-10T13:41:52-07:00 app1.example.com lab: TEST


# cloned RSYSLOG_FileFormat with timegenerated
2022-05-10T06:45:19.323828-07:00 app2.example.com lab: TEST


1. Is this expected?
2. Is this the best approach to enforce all incoming logs to local server timezone ?

Thanks,
D.

*https://www.rsyslog.com/doc/v8-stable/configuration/templates.html

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: enforce all incoming logs with local server time [ In reply to ]
yes, a custom template is the right approach, and yes that is the expected
timestamp format.

David Lang

On Tue, 10 May 2022, Dimi Onobodies via rsyslog wrote:

> Date: Tue, 10 May 2022 14:04:47 +0000
> From: Dimi Onobodies via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Dimi Onobodies <dimi_kdj@hotmail.com>
> Subject: [rsyslog] enforce all incoming logs with local server time
>
> Hi
>
> I have a system "ServerA" acting as central rsyslog endpoint. A bunch of hosts forward their syslog logs there.
>
> Some hosts are in different time zone so when logs arrive from those particular hosts appear in +8 hours.
>
>
> * changing the timezone of the client (system that sends the logs) is not an option.
> * i am using RSYSLOG_FileFormat as default template on the central server
>
> I would like "ServerA" to store all incoming logs from the systems according to its local timezone.
>
> The approach I took was to clone RSYSLOG_FileFormat from documentation* and change the property from timereported to timegenerated
>
> template(name="custom_FileFormat" type="list") {
> property(name="timegenerated" dateFormat="rfc3339")
> constant(value=" ")
> property(name="hostname")
> constant(value=" ")
> property(name="syslogtag")
> property(name="msg" spifno1stsp="on")
> property(name="msg" droplastlf="on")
> constant(value="\n")
> }
>
> $ActionFileDefaultTemplate custom_FileFormat
>
>
> That seem to worked however I noticed that with the "timegenerated" modification there are some extra digits added to the timestamp:
>
>
> # local server time 2022-05-10 06:45:07PDT
> # Bellow - unmodified RSYSLOG_FileFormat
> 2022-05-10T13:41:52-07:00 app1.example.com lab: TEST
>
>
> # cloned RSYSLOG_FileFormat with timegenerated
> 2022-05-10T06:45:19.323828-07:00 app2.example.com lab: TEST
>
>
> 1. Is this expected?
> 2. Is this the best approach to enforce all incoming logs to local server timezone ?
>
> Thanks,
> D.
>
> *https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.