Hello, On 6/27/2014 2:29 PM, Steve Clark wrote:
Hello List,I know 5.8 is old - but it comes with el6. My question is I am collection syslog info from cisco equipment and storing in a postgresql DB using: # Remote Logging $RuleSet remote #*.* -?DynFile *.* :ompgsql:127.0.0.1,syslog,user,pw This works okay but when I look at the data in the pg db I am confused by what shows up in the in the receivedat and devicereportedtime. In the example below they are the same but the message from the cisco has a time 2 hrs earlier. syslog=# select receivedat, devicereportedtime, message from systemevents limit 10; receivedat | devicereportedtime | message ---------------------+---------------------+------------------------------------------------------------------------------------------- 2014-06-11 11:12:34 | 2014-06-11 11:12:34 | *Jun 11 09:12:27.459: %RRM-3-RRM_LOGMSG: rrmLrad.c:2471 RRM LOG: #012RRM Verify Coverage 2014-06-11 11:12:34 | 2014-06-11 11:12:34 | *Jun 11 09:12:27.460: %RRM-3-RRM_LOGMSG: rrmLrad.c:2471 RRM LOG: #012RRM Verify Coverage Is this a misconfiguration on my part or something that is fixed in a later version.
The timestamp in the message column, is a timestamp either included in the message by the source or by chaining/forwarding from another syslog daemon (I've seen it with syslog-ng forwarding to rsyslog).
The issue of it being two hours off could be as simple as timezone differences between the server receiving the message and the device (or the forwarder). The issue of it being a few seconds off could be delivery time, forwarding time, or NTP drift.
It is highly unlikely to be a problem with rsyslog. Jacob _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
