On Tue, Jan 31, 2017 at 11:10 AM, Jochen Schalanda <joc...@graylog.com> wrote:
> do the syslog messages from SUSE Linux on "Input 2" contain any timezone > information? If not, Graylog automatically assumes UTC. > Yeah this is a common problem with centralized syslog environments. The old standard assumed everyone lived in one timezone: ah for life to be that easy :-) So Jochen is correct in that the best thing to do would be the fix the problem at source - but in practice that can be an immense task. Not only with timezone issues, but also with dumb devices that can't keep good time. I think the syslog INPUT channel could do with a new feature to help solved this problem at destination. Currently on syslog INPUT channels you can set "allow_override_date" to true/false. But "true" actually means "override date and set to current time *if you cannot parse the date from the message*". I think if that was to be changed to a checkbox of "false", "true-on-error" and "always" (ie throw away valid timestamps in message and replace with "now"), then that would solve the problem for a bunch of people. If you're using syslog, then your records are flowing into graylog within sub-second accuracy - so throwing away the perceived timestamp and put a proper one in doesn't change the accuracy. And for those where being off by 0.4sec matters - well continue to use 'false' :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAFChrgJ_7nsHr-x2b76j7_m2LSeLcKkMkfo%2BR%2Bb5PFjvr8rWXw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
