Re: [rsyslog] Timezone Question

Tue, 16 Apr 2019 11:00:58 -0700 

rsyslog doesn't convert the timestamps that it receives.
a better bet would be to change the other system(s) to run in UTC. It's a good idea anyway, if you run in local time you have crontab entries that can not be run or run twice when time shifts, and if you write logs to files that have the time as part of the filename, you will get 'odd' results when the time moves backwards. 

David Lang

 On Tue, 16 Apr 2019, Kelly McCubbin wrote:


Date: Tue, 16 Apr 2019 10:57:53 -0700
From: Kelly McCubbin <[email protected]>
To: David Lang <[email protected]>
Cc: Kelly McCubbin via rsyslog <[email protected]>
Subject: Re: [rsyslog] Timezone Question

Tricky.
What about the other way around; could we somehow force Rsyslog to assume
that anything unlabeled with a time zone was, as a default, UTC?

On Tue, Apr 16, 2019 at 10:39 AM David Lang <[email protected]> wrote:


On Tue, 16 Apr 2019, Kelly McCubbin via rsyslog wrote:


I may have posed this before, but I haven't found a solution yet; so I'm
going to come at it from a different angle.
We're processing syslogs from Cisco nextgen firewalls (FTDs).  The

firewall

sends the logs with no time zone stamp, but the time is in UTC.
We correlate those logs on our Rsyslog server with other logs that are
labelled correctly, so the time is adjusted to our local time (PST).
We'd like to find a way to force the logs from the Cisco firewalls to

also

adjust to PST so that they match up with the logs that have the correct
time.

Is there any way to do this?


There is not a good way to do this, the glibc timezone conversion
functions rely
on environment variables and so would have to be duplicated. you would
then need
to have some sort of decision function (possibly using table_lookup() ) to
decide what correction to make to what hosts.

I think a better approach may be to find a way to use the parse_time()
function to convert the time to epoc time, then add a number to it (not
allowed
currently AFAIK) and then convert to a text timestamp (using
format_time(),
which really needs to be extended)

David Lang




_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to