On Fri, Sep 18, 2020 at 5:48 PM John Chivian via rsyslog <[email protected]> wrote: > > It would be easier to write a custom output template that sent, or wrote > depending on your output, both timereported and timegenerated.
We do precisely this - store both timegenerated (in trusted UTC) and timereported (should be UTC, but also may reflect some lag or malicious manipulation). It expands the uncompressed volume mildly, but we find it to be pretty compressible. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
