Hi, Rainer: thanks again...:-) ! $ActionForwardDefaultTemplate RSYSLOG_ForwardFormat added just after $ModLoad's on the client did the trick...
Client: # date && logger testing123 Thu Feb 2 12:16:44 CET 2012 Server: 2012-02-02T12:16:44.307098+01:00 <HOSTNAME> root: testing123 Case closed... 2012/2/2 Rainer Gerhards <[email protected]> > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of Michael Maymann > > Sent: Thursday, February 02, 2012 11:19 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] Timestamp wrong...? > > > > Hi, > > > > David: thanks for your reply...:-) ! > > here is my debug output: > > # cat /tmp/example.log > > 6858.610057125:7f9222880700: > [snip] > > 6868.949626982:7f9217fff700: Message from UNIX socket: #4 > > 6868.949710093:7f9217fff700: logmsg: flags 4, from '<HOSTNAME>', msg > > Feb 2 > > 11:01:08 root: testing123 > [snip] > > > > > Here is the entry on the syslogclient: > > 2012-02-02T11:01:08.949694+01:00 <HOSTNAME> root: testing123 > > Nope! see above: This is what you actually get from the client: > Feb 2 11:01:08 root: testing123 > > I guess you have not enabled high-pecision forwarding on the client. It is > disable by default for compatibility reasons (at least IIRC). There is a > template named along the lines of RSYSLOG_ForwardFormat you need to apply > (Again IIRC) > > rainer > > > > Here is the same entry on the syslogserver: > > 2012-02-02T11:01:08+02:00 <HOSTNAME> root: testing123 > > > > It seems the server entry gets <client time>+<server UTC-offset>... is > > this > > really right... ? > > Can this be changed to one of the following: > > 1. <UTC time>+00:00 > > 2. <client time>+<client UTC-offset> > > 3. <server time>+<server UTC-offset> > > > > Here is my clients /etc/rsyslog.conf: > > $ModLoad imtcp > > $ModLoad imuxsock # provides support for local system logging > > $ModLoad imklog # provides kernel logging support (previously done by > > rklogd) > > $ModLoad immark # provides --MARK-- message capability > > *.* @@<IP>:514 > > # Log all kernel messages to the console. > > # Logging much else clutters up the screen. > > #kern.* /dev/console > > # Log anything (except mail) of level info or higher. > > # Don't log private authentication messages! > > *.info;mail.none;authpriv.none;cron.none > > /var/log/messages > > # The authpriv file has restricted access. > > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > > mail.* - > > /var/log/maillog > > # Log cron stuff > > cron.* /var/log/cron > > # Everybody gets emergency messages > > *.emerg * > > # Save news errors of level crit and higher in a special file. > > uucp,news.crit > > /var/log/spooler > > # Save boot messages also to boot.log > > local7.* > > > > > > Thanks in advance :-) ! > > ~maymann > > > > > > 2012/2/1 <[email protected]> > > > > > On Wed, 1 Feb 2012, Michael Maymann wrote: > > > > > > on my syslog client i have the following time: > > >> # date && logger testing123 > > >> Wed Feb 1 14:42:02 CET 2012 > > >> > > >> what get in my syslog server logs: > > >> 2012-02-01T14:42:02+02:00 <HOSTNAME> root: testing123 > > >> Time on my syslog server: > > >> date > > >> Wed Feb 1 15:42:02 EET 2012 > > >> > > >> according to http://www.timezoneconverter.**com/cgi- > > bin/tzc.tzc<http://www.timezoneconverter.com/cgi-bin/tzc.tzc>and my > > >> calculations it should have been either: > > >> 2012-02-01T14:42:02+01:00 <HOSTNAME> root: testing123 (if keeping > > client > > >> timestamp) > > >> or > > >> 2012-02-01T15:42:02+02:00 <HOSTNAME> root: testing123 (if keeping > > server > > >> timestamp) > > >> or > > >> 2012-02-01T13:42:02+00:00 <HOSTNAME> root: testing123 (if keeping > > UTC > > >> timestamp) > > >> > > >> I would prefer client timestamp... Is this a bug or have I > > completely > > >> misunderstood something... ? > > >> How do I change to correct client timestamp ? > > >> > > > > > > timereported is the time that the client put in the log (with > > whatever > > > precision and timezone that the client reported it in) > > > > > > timegenerated is the timestamp that the server received the log (high > > > precision timestamp in the server's timezone) > > > > > > $now is the time the log is being written > > > > > > check and see what the clients are sending (writing a log from a > > > particular client using the format RSYSLOG_DEBUG is a wonderful > > > troubleshooting tool) > > > > > > by default, the syslog format tries to keep the timestamp the client > > > provides. > > > > > > I'm a huge proponent of running all production systems in GMT/UTC it > > > avoids a huge number of issues along the way. > > > > > > David Lang > > > ______________________________**_________________ > > > rsyslog mailing list > > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > n.net/mailman/listinfo/rsyslog> > > > http://www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
