> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of David Lang > Sent: Wednesday, December 05, 2012 6:45 AM > To: rsyslog-users > Subject: Re: [rsyslog] Clarification about timegenerated > > On Tue, 4 Dec 2012, Radu Gheorghe wrote: > > > 2012/12/4 Jerome Renard <[email protected]> > > > > That's my understanding as well. > > > > > >> > >> Now if complexify my use case a bit, I get a local server which > >> forwards its logs to a different machine in a different timezone. > >> In that case what will timegenerated look like ? Will it contain the > >> time the log message hits my local Rsyslog, or will it contain the > >> time at which the log message hits my distant Rsyslog ? > >> > > > > My understanding is that the property applies to the template that is > > applied. So if you have a template in your distant Rsyslog that > writes your > > timegenerated to a file, then timegenerated will be the system time > of that > > Rsyslog when the log was received. Or actually, when the log is > parsed. > > And to clarify (or muddy the waters further), the second rsyslog will > give you > 'timereported' equal to the 'timegenerated' of the first rsyslog > machine when it > recieved the log message and 'timegenerated' of when the second rsyslog > machine > recieved the log message
With properly formatted messages, that should not happen. "timegenerated" is always the time when rsyslog generated the message object on the local machine. That actually means it is the time when the message was received (either via the oscall layer or on some inputs based on information the OS provides). As such, "timereceived" would probably be a better name, but that would break too much... "timereported" is what the sending device reports as time. This is taken from the appropriate syslog header field. If and only if the syslog date header cannot properly be parsed, "timereported" is populated with the same value as "timegenerated". Assuming that all systems in a relay chain use valid syslog format, "timereported" will be the same on all relay machines, whereas "timegenerated" reflects the local time of message reception and thus is different on each relay machine. I hope this clarifies. Rainer > For each rsyslog instance, 'timereported' is what it is being told by > the entity > giving it the log, and 'timegenerated' is when this copy of rsyslog > first > processed that log message. > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
