> On Wed, 5 Dec 2012, Rainer Gerhards wrote: > > >> -----Original Message----- > >> From: [email protected] [mailto:rsyslog- > >> [email protected]] On Behalf Of David Lang > >> Sent: Wednesday, December 05, 2012 6:45 AM > >> To: rsyslog-users > >> Subject: Re: [rsyslog] Clarification about timegenerated > >> > >> On Tue, 4 Dec 2012, Radu Gheorghe wrote: > >> > >>> 2012/12/4 Jerome Renard <[email protected]> > >>> > >>> That's my understanding as well. > >>> > >>> > >>>> > >>>> Now if complexify my use case a bit, I get a local server which > >>>> forwards its logs to a different machine in a different timezone. > >>>> In that case what will timegenerated look like ? Will it contain > the > >>>> time the log message hits my local Rsyslog, or will it contain the > >>>> time at which the log message hits my distant Rsyslog ? > >>>> > >>> > >>> My understanding is that the property applies to the template that > is > >>> applied. So if you have a template in your distant Rsyslog that > >> writes your > >>> timegenerated to a file, then timegenerated will be the system time > >> of that > >>> Rsyslog when the log was received. Or actually, when the log is > >> parsed. > >> > >> And to clarify (or muddy the waters further), the second rsyslog > will > >> give you > >> 'timereported' equal to the 'timegenerated' of the first rsyslog > >> machine when it > >> recieved the log message and 'timegenerated' of when the second > rsyslog > >> machine > >> recieved the log message > > > > With properly formatted messages, that should not happen. > > > > "timegenerated" is always the time when rsyslog generated the message > object on the local machine. That actually means it is the time when > the message was received (either via the oscall layer or on some inputs > based on information the OS provides). As such, "timereceived" would > probably be a better name, but that would break too much... > > > > "timereported" is what the sending device reports as time. This is > taken from the appropriate syslog header field. If and only if the > syslog date header cannot properly be parsed, "timereported" is > populated with the same value as "timegenerated". > > > > Assuming that all systems in a relay chain use valid syslog format, > "timereported" will be the same on all relay machines, whereas > "timegenerated" reflects the local time of message reception and thus > is different on each relay machine. > > > > I hope this clarifies. > > I was meaning that if the first machine wrote with a template that used > "timegenerated", the second machine would see that time as > "timereported" as > far as it's concerned.
Ah, yes. Of course you are right! Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
