Ok, this is hokey, but I Kobayashi Maru'd it. Figuring that the timereported time would always be correct per the actual event time in UTC and the timegenerated time would always have the local hour right, I changed my template to this...
* property(name="timereported" dateFormat="year")* * constant(value="-")* * property(name="timereported" dateFormat="month")* * constant(value="-")* * property(name="timereported" dateFormat="day")* * constant(value=" ")* * property(name="timegenerated" dateFormat="hour")* * constant(value=":")* * property(name="timereported" dateFormat="minute")* * constant(value=":")* * property(name="timereported" dateFormat="second")* I recognize that there might be a half second each hour that the hour might be off, but that should be pretty obvious when it happens and since this is a tool that we use for troubleshooting, not for any legal retention, I think that's acceptable. - Kelly On Tue, Apr 16, 2019 at 11:00 AM David Lang <[email protected]> wrote: > rsyslog doesn't convert the timestamps that it receives. > > a better bet would be to change the other system(s) to run in UTC. It's a > good > idea anyway, if you run in local time you have crontab entries that can > not be > run or run twice when time shifts, and if you write logs to files that > have the > time as part of the filename, you will get 'odd' results when the time > moves > backwards. > > David Lang > > On Tue, 16 Apr 2019, Kelly McCubbin wrote: > > > Date: Tue, 16 Apr 2019 10:57:53 -0700 > > From: Kelly McCubbin <[email protected]> > > To: David Lang <[email protected]> > > Cc: Kelly McCubbin via rsyslog <[email protected]> > > Subject: Re: [rsyslog] Timezone Question > > > > Tricky. > > What about the other way around; could we somehow force Rsyslog to assume > > that anything unlabeled with a time zone was, as a default, UTC? > > > > On Tue, Apr 16, 2019 at 10:39 AM David Lang <[email protected]> wrote: > > > >> On Tue, 16 Apr 2019, Kelly McCubbin via rsyslog wrote: > >> > >>> I may have posed this before, but I haven't found a solution yet; so > I'm > >>> going to come at it from a different angle. > >>> We're processing syslogs from Cisco nextgen firewalls (FTDs). The > >> firewall > >>> sends the logs with no time zone stamp, but the time is in UTC. > >>> We correlate those logs on our Rsyslog server with other logs that are > >>> labelled correctly, so the time is adjusted to our local time (PST). > >>> We'd like to find a way to force the logs from the Cisco firewalls to > >> also > >>> adjust to PST so that they match up with the logs that have the correct > >>> time. > >>> > >>> Is there any way to do this? > >> > >> There is not a good way to do this, the glibc timezone conversion > >> functions rely > >> on environment variables and so would have to be duplicated. you would > >> then need > >> to have some sort of decision function (possibly using table_lookup() ) > to > >> decide what correction to make to what hosts. > >> > >> I think a better approach may be to find a way to use the parse_time() > >> function to convert the time to epoc time, then add a number to it (not > >> allowed > >> currently AFAIK) and then convert to a text timestamp (using > >> format_time(), > >> which really needs to be extended) > >> > >> David Lang > >> > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
