[rsyslog] Timestamp wrong...?
rgerhards at hq.adiscon.com
Thu Feb 2 11:28:37 CET 2012
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Michael Maymann
> Sent: Thursday, February 02, 2012 11:19 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Timestamp wrong...?
> David: thanks for your reply...:-) !
> here is my debug output:
> # cat /tmp/example.log
> 6868.949626982:7f9217fff700: Message from UNIX socket: #4
> 6868.949710093:7f9217fff700: logmsg: flags 4, from '<HOSTNAME>', msg
> Feb 2
> 11:01:08 root: testing123
> Here is the entry on the syslogclient:
> 2012-02-02T11:01:08.949694+01:00 <HOSTNAME> root: testing123
Nope! see above: This is what you actually get from the client:
Feb 2 11:01:08 root: testing123
I guess you have not enabled high-pecision forwarding on the client. It is
disable by default for compatibility reasons (at least IIRC). There is a
template named along the lines of RSYSLOG_ForwardFormat you need to apply
> Here is the same entry on the syslogserver:
> 2012-02-02T11:01:08+02:00 <HOSTNAME> root: testing123
> It seems the server entry gets <client time>+<server UTC-offset>... is
> really right... ?
> Can this be changed to one of the following:
> 1. <UTC time>+00:00
> 2. <client time>+<client UTC-offset>
> 3. <server time>+<server UTC-offset>
> Here is my clients /etc/rsyslog.conf:
> $ModLoad imtcp
> $ModLoad imuxsock # provides support for local system logging
> $ModLoad imklog # provides kernel logging support (previously done by
> $ModLoad immark # provides --MARK-- message capability
> *.* @@<IP>:514
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.* /dev/console
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> # The authpriv file has restricted access.
> authpriv.* /var/log/secure
> # Log all the mail messages in one place.
> mail.* -
> # Log cron stuff
> cron.* /var/log/cron
> # Everybody gets emergency messages
> *.emerg *
> # Save news errors of level crit and higher in a special file.
> # Save boot messages also to boot.log
> Thanks in advance :-) !
> 2012/2/1 <david at lang.hm>
> > On Wed, 1 Feb 2012, Michael Maymann wrote:
> > on my syslog client i have the following time:
> >> # date && logger testing123
> >> Wed Feb 1 14:42:02 CET 2012
> >> what get in my syslog server logs:
> >> 2012-02-01T14:42:02+02:00 <HOSTNAME> root: testing123
> >> Time on my syslog server:
> >> date
> >> Wed Feb 1 15:42:02 EET 2012
> >> according to http://www.timezoneconverter.**com/cgi-
> bin/tzc.tzc<http://www.timezoneconverter.com/cgi-bin/tzc.tzc>and my
> >> calculations it should have been either:
> >> 2012-02-01T14:42:02+01:00 <HOSTNAME> root: testing123 (if keeping
> >> timestamp)
> >> or
> >> 2012-02-01T15:42:02+02:00 <HOSTNAME> root: testing123 (if keeping
> >> timestamp)
> >> or
> >> 2012-02-01T13:42:02+00:00 <HOSTNAME> root: testing123 (if keeping
> >> timestamp)
> >> I would prefer client timestamp... Is this a bug or have I
> >> misunderstood something... ?
> >> How do I change to correct client timestamp ?
> > timereported is the time that the client put in the log (with
> > precision and timezone that the client reported it in)
> > timegenerated is the timestamp that the server received the log (high
> > precision timestamp in the server's timezone)
> > $now is the time the log is being written
> > check and see what the clients are sending (writing a log from a
> > particular client using the format RSYSLOG_DEBUG is a wonderful
> > troubleshooting tool)
> > by default, the syslog format tries to keep the timestamp the client
> > provides.
> > I'm a huge proponent of running all production systems in GMT/UTC it
> > avoids a huge number of issues along the way.
> > David Lang
> > ______________________________**_________________
> > rsyslog mailing list
> > http://www.rsyslog.com/**professional-
> rsyslog mailing list
More information about the rsyslog