Tricky. What about the other way around; could we somehow force Rsyslog to assume that anything unlabeled with a time zone was, as a default, UTC?
On Tue, Apr 16, 2019 at 10:39 AM David Lang <[email protected]> wrote: > On Tue, 16 Apr 2019, Kelly McCubbin via rsyslog wrote: > > > I may have posed this before, but I haven't found a solution yet; so I'm > > going to come at it from a different angle. > > We're processing syslogs from Cisco nextgen firewalls (FTDs). The > firewall > > sends the logs with no time zone stamp, but the time is in UTC. > > We correlate those logs on our Rsyslog server with other logs that are > > labelled correctly, so the time is adjusted to our local time (PST). > > We'd like to find a way to force the logs from the Cisco firewalls to > also > > adjust to PST so that they match up with the logs that have the correct > > time. > > > > Is there any way to do this? > > There is not a good way to do this, the glibc timezone conversion > functions rely > on environment variables and so would have to be duplicated. you would > then need > to have some sort of decision function (possibly using table_lookup() ) to > decide what correction to make to what hosts. > > I think a better approach may be to find a way to use the parse_time() > function to convert the time to epoc time, then add a number to it (not > allowed > currently AFAIK) and then convert to a text timestamp (using > format_time(), > which really needs to be extended) > > David Lang > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
