Re: [rsyslog] enforce all incoming logs with local server time

David Lang via rsyslog Tue, 10 May 2022 07:12:31 -0700

yes, a custom template is the right approach, and yes that is the expectedtimestamp format.


David Lang


On Tue, 10 May 2022, Dimi Onobodies via rsyslog wrote:

Date: Tue, 10 May 2022 14:04:47 +0000
From: Dimi Onobodies via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Dimi Onobodies <dimi_...@hotmail.com>
Subject: [rsyslog] enforce all incoming logs with local server time

Hi

I have a system "ServerA" acting as central rsyslog endpoint. A bunch of hosts 
forward their syslog logs there.

Some hosts are in different time zone so when logs arrive from those particular 
hosts appear in +8 hours.

 *   changing the timezone of the client (system that sends the logs) is not an 
option.
 *   i am using RSYSLOG_FileFormat as default template on the central server

I would like  "ServerA" to store all incoming logs from the systems according 
to its local timezone.

The approach I took  was to clone  RSYSLOG_FileFormat from documentation* and 
change the property from timereported to timegenerated

template(name="custom_FileFormat" type="list") {
    property(name="timegenerated" dateFormat="rfc3339")
    constant(value=" ")
    property(name="hostname")
    constant(value=" ")
    property(name="syslogtag")
    property(name="msg" spifno1stsp="on")
    property(name="msg" droplastlf="on")
    constant(value="\n")
}

$ActionFileDefaultTemplate custom_FileFormat

That seem to worked however I noticed that with the "timegenerated" 
modification there are some extra digits added to the timestamp:

# local server time 2022-05-10 06:45:07PDT
# Bellow - unmodified RSYSLOG_FileFormat
2022-05-10T13:41:52-07:00 app1.example.com lab: TEST

# cloned RSYSLOG_FileFormat with timegenerated
2022-05-10T06:45:19.323828-07:00 app2.example.com lab: TEST

 1.  Is this expected?
 2.  Is this the best approach to enforce all incoming logs to local server 
timezone ?

Thanks,
D.

*https://www.rsyslog.com/doc/v8-stable/configuration/templates.html

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] enforce all incoming logs with local server time

Reply via email to