[rsyslog] Timestamp wrong...?

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Feb 2 11:28:37 CET 2012 

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Michael Maymann
> Sent: Thursday, February 02, 2012 11:19 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Timestamp wrong...?
> 
> Hi,
> 
> David: thanks for your reply...:-) !
> here is my debug output:
> # cat /tmp/example.log
> 6858.610057125:7f9222880700:
[snip]
> 6868.949626982:7f9217fff700: Message from UNIX socket: #4
> 6868.949710093:7f9217fff700: logmsg: flags 4, from '<HOSTNAME>', msg
> Feb  2
> 11:01:08 root: testing123
[snip]

> 
> Here is the entry on the syslogclient:
> 2012-02-02T11:01:08.949694+01:00 <HOSTNAME> root: testing123

Nope! see above: This is what you actually get from the client:
Feb  2 11:01:08 root: testing123

I guess you have not enabled high-pecision forwarding on the client. It is
disable by default for compatibility reasons (at least IIRC). There is a
template named along the lines of RSYSLOG_ForwardFormat you need to apply
(Again IIRC)

rainer
> 
> Here is the same entry on the syslogserver:
> 2012-02-02T11:01:08+02:00 <HOSTNAME> root: testing123
> 
> It seems the server entry gets <client time>+<server UTC-offset>... is
> this
> really right... ?
> Can this be changed to one of the following:
> 1. <UTC time>+00:00
> 2. <client time>+<client UTC-offset>
> 3. <server time>+<server UTC-offset>
> 
> Here is my clients /etc/rsyslog.conf:
> $ModLoad imtcp
> $ModLoad imuxsock # provides support for local system logging
> $ModLoad imklog   # provides kernel logging support (previously done by
> rklogd)
> $ModLoad immark  # provides --MARK-- message capability
> *.* @@<IP>:514
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.*                                                 /dev/console
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;authpriv.none;cron.none
> /var/log/messages
> # The authpriv file has restricted access.
> authpriv.*                                              /var/log/secure
> # Log all the mail messages in one place.
> mail.*                                                  -
> /var/log/maillog
> # Log cron stuff
> cron.*                                                  /var/log/cron
> # Everybody gets emergency messages
> *.emerg                                                 *
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit
> /var/log/spooler
> # Save boot messages also to boot.log
> local7.*
> 
> 
> Thanks in advance :-) !
> ~maymann
> 
> 
> 2012/2/1 <david at lang.hm>
> 
> > On Wed, 1 Feb 2012, Michael Maymann wrote:
> >
> >  on my syslog client i have the following time:
> >> # date && logger testing123
> >> Wed Feb  1 14:42:02 CET 2012
> >>
> >> what get in my syslog server logs:
> >> 2012-02-01T14:42:02+02:00 <HOSTNAME> root: testing123
> >> Time on my syslog server:
> >> date
> >> Wed Feb  1 15:42:02 EET 2012
> >>
> >> according to http://www.timezoneconverter.**com/cgi-
> bin/tzc.tzc<http://www.timezoneconverter.com/cgi-bin/tzc.tzc>and my
> >> calculations it should have been either:
> >> 2012-02-01T14:42:02+01:00 <HOSTNAME> root: testing123 (if keeping
> client
> >> timestamp)
> >> or
> >> 2012-02-01T15:42:02+02:00 <HOSTNAME> root: testing123 (if keeping
> server
> >> timestamp)
> >> or
> >> 2012-02-01T13:42:02+00:00 <HOSTNAME> root: testing123 (if keeping
> UTC
> >> timestamp)
> >>
> >> I would prefer client timestamp... Is this a bug or have I
> completely
> >> misunderstood something... ?
> >> How do I change to correct client timestamp ?
> >>
> >
> > timereported is the time that the client put in the log (with
> whatever
> > precision and timezone that the client reported it in)
> >
> > timegenerated is the timestamp that the server received the log (high
> > precision timestamp in the server's timezone)
> >
> > $now is the time the log is being written
> >
> > check and see what the clients are sending (writing a log from a
> > particular client using the format RSYSLOG_DEBUG is a wonderful
> > troubleshooting tool)
> >
> > by default, the syslog format tries to keep the timestamp the client
> > provides.
> >
> > I'm a huge proponent of running all production systems in GMT/UTC it
> > avoids a huge number of issues along the way.
> >
> > David Lang
> > ______________________________**_________________
> > rsyslog mailing list
> >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> > http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/

More information about the rsyslog mailing list