> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Michael Maymann > Sent: Thursday, February 02, 2012 11:19 AM > To: rsyslog-users > Subject: Re: [rsyslog] Timestamp wrong...? > > Hi, > > David: thanks for your reply...:-) ! > here is my debug output: > # cat /tmp/example.log > 6858.610057125:7f9222880700: [snip] > 6868.949626982:7f9217fff700: Message from UNIX socket: #4 > 6868.949710093:7f9217fff700: logmsg: flags 4, from '<HOSTNAME>', msg > Feb 2 > 11:01:08 root: testing123 [snip]
> > Here is the entry on the syslogclient: > 2012-02-02T11:01:08.949694+01:00 <HOSTNAME> root: testing123 Nope! see above: This is what you actually get from the client: Feb 2 11:01:08 root: testing123 I guess you have not enabled high-pecision forwarding on the client. It is disable by default for compatibility reasons (at least IIRC). There is a template named along the lines of RSYSLOG_ForwardFormat you need to apply (Again IIRC) rainer > > Here is the same entry on the syslogserver: > 2012-02-02T11:01:08+02:00 <HOSTNAME> root: testing123 > > It seems the server entry gets <client time>+<server UTC-offset>... is > this > really right... ? > Can this be changed to one of the following: > 1. <UTC time>+00:00 > 2. <client time>+<client UTC-offset> > 3. <server time>+<server UTC-offset> > > Here is my clients /etc/rsyslog.conf: > $ModLoad imtcp > $ModLoad imuxsock # provides support for local system logging > $ModLoad imklog # provides kernel logging support (previously done by > rklogd) > $ModLoad immark # provides --MARK-- message capability > *.* @@<IP>:514 > # Log all kernel messages to the console. > # Logging much else clutters up the screen. > #kern.* /dev/console > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > *.info;mail.none;authpriv.none;cron.none > /var/log/messages > # The authpriv file has restricted access. > authpriv.* /var/log/secure > # Log all the mail messages in one place. > mail.* - > /var/log/maillog > # Log cron stuff > cron.* /var/log/cron > # Everybody gets emergency messages > *.emerg * > # Save news errors of level crit and higher in a special file. > uucp,news.crit > /var/log/spooler > # Save boot messages also to boot.log > local7.* > > > Thanks in advance :-) ! > ~maymann > > > 2012/2/1 <[email protected]> > > > On Wed, 1 Feb 2012, Michael Maymann wrote: > > > > on my syslog client i have the following time: > >> # date && logger testing123 > >> Wed Feb 1 14:42:02 CET 2012 > >> > >> what get in my syslog server logs: > >> 2012-02-01T14:42:02+02:00 <HOSTNAME> root: testing123 > >> Time on my syslog server: > >> date > >> Wed Feb 1 15:42:02 EET 2012 > >> > >> according to http://www.timezoneconverter.**com/cgi- > bin/tzc.tzc<http://www.timezoneconverter.com/cgi-bin/tzc.tzc>and my > >> calculations it should have been either: > >> 2012-02-01T14:42:02+01:00 <HOSTNAME> root: testing123 (if keeping > client > >> timestamp) > >> or > >> 2012-02-01T15:42:02+02:00 <HOSTNAME> root: testing123 (if keeping > server > >> timestamp) > >> or > >> 2012-02-01T13:42:02+00:00 <HOSTNAME> root: testing123 (if keeping > UTC > >> timestamp) > >> > >> I would prefer client timestamp... Is this a bug or have I > completely > >> misunderstood something... ? > >> How do I change to correct client timestamp ? > >> > > > > timereported is the time that the client put in the log (with > whatever > > precision and timezone that the client reported it in) > > > > timegenerated is the timestamp that the server received the log (high > > precision timestamp in the server's timezone) > > > > $now is the time the log is being written > > > > check and see what the clients are sending (writing a log from a > > particular client using the format RSYSLOG_DEBUG is a wonderful > > troubleshooting tool) > > > > by default, the syslog format tries to keep the timestamp the client > > provides. > > > > I'm a huge proponent of running all production systems in GMT/UTC it > > avoids a huge number of issues along the way. > > > > David Lang > > ______________________________**_________________ > > rsyslog mailing list > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > n.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/**professional- > services/<http://www.rsyslog.com/professional-services/> > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
