On Tue, Jan 31, 2017 at 11:10 AM, Jochen Schalanda <[email protected]> wrote:
> do the syslog messages from SUSE Linux on "Input 2" contain any timezone > information? If not, Graylog automatically assumes UTC. > Yeah this is a common problem with centralized syslog environments. The old standard assumed everyone lived in one timezone: ah for life to be that easy :-) So Jochen is correct in that the best thing to do would be the fix the problem at source - but in practice that can be an immense task. Not only with timezone issues, but also with dumb devices that can't keep good time. I think the syslog INPUT channel could do with a new feature to help solved this problem at destination. Currently on syslog INPUT channels you can set "allow_override_date" to true/false. But "true" actually means "override date and set to current time *if you cannot parse the date from the message*". I think if that was to be changed to a checkbox of "false", "true-on-error" and "always" (ie throw away valid timestamps in message and replace with "now"), then that would solve the problem for a bunch of people. If you're using syslog, then your records are flowing into graylog within sub-second accuracy - so throwing away the perceived timestamp and put a proper one in doesn't change the accuracy. And for those where being off by 0.4sec matters - well continue to use 'false' :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAFChrgJ_7nsHr-x2b76j7_m2LSeLcKkMkfo%2BR%2Bb5PFjvr8rWXw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
