On Wed, 5 Dec 2012, Rainer Gerhards wrote:
-----Original Message-----
From: [email protected] [mailto:rsyslog-
[email protected]] On Behalf Of David Lang
Sent: Wednesday, December 05, 2012 6:45 AM
To: rsyslog-users
Subject: Re: [rsyslog] Clarification about timegenerated
On Tue, 4 Dec 2012, Radu Gheorghe wrote:
2012/12/4 Jerome Renard <[email protected]>
That's my understanding as well.
Now if complexify my use case a bit, I get a local server which
forwards its logs to a different machine in a different timezone.
In that case what will timegenerated look like ? Will it contain the
time the log message hits my local Rsyslog, or will it contain the
time at which the log message hits my distant Rsyslog ?
My understanding is that the property applies to the template that is
applied. So if you have a template in your distant Rsyslog that
writes your
timegenerated to a file, then timegenerated will be the system time
of that
Rsyslog when the log was received. Or actually, when the log is
parsed.
And to clarify (or muddy the waters further), the second rsyslog will
give you
'timereported' equal to the 'timegenerated' of the first rsyslog
machine when it
recieved the log message and 'timegenerated' of when the second rsyslog
machine
recieved the log message
With properly formatted messages, that should not happen.
"timegenerated" is always the time when rsyslog generated the message object on the local
machine. That actually means it is the time when the message was received (either via the oscall
layer or on some inputs based on information the OS provides). As such, "timereceived"
would probably be a better name, but that would break too much...
"timereported" is what the sending device reports as time. This is taken from the appropriate
syslog header field. If and only if the syslog date header cannot properly be parsed,
"timereported" is populated with the same value as "timegenerated".
Assuming that all systems in a relay chain use valid syslog format, "timereported" will
be the same on all relay machines, whereas "timegenerated" reflects the local time of
message reception and thus is different on each relay machine.
I hope this clarifies.
I was meaning that if the first machine wrote with a template that used
"timegenerated", the second machine would see that time as "timereported" as
far as it's concerned.
David Lang
Rainer
For each rsyslog instance, 'timereported' is what it is being told by
the entity
giving it the log, and 'timegenerated' is when this copy of rsyslog
first
processed that log message.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
