Re: [rsyslog] Timezone Question

Tue, 16 Apr 2019 15:35:23 -0700

If you are asking rsyslog to do the event correlate function, then David's original and subsequent answers are probably the definitive ones.
If something else does the correlate function, such that rsyslog outputs to the correlate function, then I would create a new template specific to the output of UTC events.  The template would use timereported (without offset, in UTC) and add the string constant "+00:00" as the offset immediately thereafter. 


This approach assumes the correlate function understands RFC3339, and 
can convert a time spec with explicit offset into the correct system 
local time line.


Regards,



On 4/16/19 5:02 PM, David Lang via rsyslog wrote:

timestampmanipulation is an area that we just have the very beginnings 
of. parse_time() and format_time() were only recently added, they open 
up a number of possibilities, but work needs to be done to implement 
them, and there just hasn't been enough priority for Adiscon to work 
on it, and nobody else has started working to contribute code for it.


David Lang

 On Tue, 16 Apr 2019, Kelly McCubbin wrote:


Date: Tue, 16 Apr 2019 14:30:12 -0700
From: Kelly McCubbin <[email protected]>
To: David Lang <[email protected]>
Cc: Kelly McCubbin via rsyslog <[email protected]>
Subject: Re: [rsyslog] Timezone Question

Ok, this is hokey, but I Kobayashi Maru'd it.  Figuring that the

timereported time would always be correct per the actual event time 
in UTC

and the timegenerated time would always have the local hour right, I
changed my template to this...

*    property(name="timereported" dateFormat="year")*
*    constant(value="-")*
*    property(name="timereported" dateFormat="month")*
*    constant(value="-")*
*    property(name="timereported" dateFormat="day")*
*    constant(value=" ")*
*    property(name="timegenerated" dateFormat="hour")*
*    constant(value=":")*
*    property(name="timereported" dateFormat="minute")*
*    constant(value=":")*
*    property(name="timereported" dateFormat="second")*


I recognize that there might be a half second each hour that the hour 
might
be off, but that should be pretty obvious when it happens and since 
this is

a tool that we use for troubleshooting, not for any legal retention, I
think that's acceptable.

- Kelly



On Tue, Apr 16, 2019 at 11:00 AM David Lang <[email protected]> wrote:


rsyslog doesn't convert the timestamps that it receives.


a better bet would be to change the other system(s) to run in UTC. 
It's a

good
idea anyway, if you run in local time you have crontab entries that can
not be
run or run twice when time shifts, and if you write logs to files that
have the
time as part of the filename, you will get 'odd' results when the time
moves
backwards.

David Lang

  On Tue, 16 Apr 2019, Kelly McCubbin wrote:


Date: Tue, 16 Apr 2019 10:57:53 -0700
From: Kelly McCubbin <[email protected]>
To: David Lang <[email protected]>
Cc: Kelly McCubbin via rsyslog <[email protected]>
Subject: Re: [rsyslog] Timezone Question

Tricky.

What about the other way around; could we somehow force Rsyslog to 
assume

that anything unlabeled with a time zone was, as a default, UTC?

On Tue, Apr 16, 2019 at 10:39 AM David Lang <[email protected]> wrote:


On Tue, 16 Apr 2019, Kelly McCubbin via rsyslog wrote:


I may have posed this before, but I haven't found a solution yet; so

I'm

going to come at it from a different angle.
We're processing syslogs from Cisco nextgen firewalls (FTDs).  The

firewall

sends the logs with no time zone stamp, but the time is in UTC.

We correlate those logs on our Rsyslog server with other logs 
that are

labelled correctly, so the time is adjusted to our local time (PST).

We'd like to find a way to force the logs from the Cisco 
firewalls to

also

adjust to PST so that they match up with the logs that have the 
correct

time.

Is there any way to do this?


There is not a good way to do this, the glibc timezone conversion
functions rely

on environment variables and so would have to be duplicated. you 
would

then need

to have some sort of decision function (possibly using 
table_lookup() )

to

decide what correction to make to what hosts.


I think a better approach may be to find a way to use the 
parse_time()
function to convert the time to epoc time, then add a number to it 
(not

allowed
currently AFAIK) and then convert to a text timestamp (using
format_time(),
which really needs to be extended)

David Lang








_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST 
if you DON'T LIKE THAT.



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.





















					Reply via email to