On Fri, 18 Jul 2014, Eugene Istomin wrote:
Also i read about another approach:
"...I think you are far better off running your servers (and the timestamps on
the logs) on UTC. This not only avoids the problems of "where is this
server located, so what time zone is it in", but it also doesn't have
daylight savings time changes (with all the related problems of jobs
running multiple times or not at all)"
Well, sounds good. But needs additional configuration in every time-dependent
application (DB/schedulers/etc).
What I've seen in practice is that these things fall into one of two categories
1. they really should support users in different timezones anyway, so they need
to have this configuration
or
2. they are only used by your IT staff, who can get used to the timeshift pretty
quickly
---
Best regards,
Eugene Istomin
On Thursday, July 17, 2014 10:49:02 PM Eugene Istomin wrote:
Can you describe a little bit two 8.3.4 changelog lines?
+ new parser config object — permits to define custom parser definitions
not sure about this
+ new tzinfo config object — permits to define time zone offsets
I believe that this lets you say that all logs from a source should be treated
as if they are at timezone offset X, even if they don't report a timezone.
David Lang
/---/
*/Best regards,/*
/Eugene Istomin/
> Hello Rainer,
>
> during implementing of the flexible ES templates we are stopped by time
zone
> problem, let's me describe:
>
> 1) We have a message template like:
>
> ##CEE TEMPLATE
> template(name="cee" type="list") {
> ...
> constant(value="@cee: {")
> ...
>
> property(name="timegenerated" dateFormat="rfc3339"
format="jsonf"
> outname="@timestamp") constant(value=", ") ...
>
>
> 2) Sending this message using RELP:
>
> ruleset(name="relp_cee") {
>
> action(type="omrelp" Template="cee" Target="core" Port="20514")
>
> }
>
>
> 3) Log server is receiving this message:
>
> input(type="imrelp" Port="20514")
> action(type="mmjsonparse")
>
> if $parsesuccess == "OK" then {
>
> action(type="omelasticsearch" server="localhost"
template="ES-All"
> searchIndex="es_index-default" searchType="events"
dynSearchIndex="on"
> bulkmode="on" queue.dequeuebatchsize="5000" queue.size="100000"
> queue.workerthreads="5" ); }
>
>
> and puts to ES using index
>
> ## ES Index template
> template(name="es_index-default" type="list") {
>
> property(name="$!msg_class" ) constant(value="-")
> property(name="$!msg_view" ) constant(value="-")
> property(name="@timestamp" dateFormat="rfc3339"
position.from="1"
> position.to="4") constant(value=".") property(name="@timestamp"
> dateFormat="rfc3339" position.from="6" position.to="7")
constant(value=".")
> property(name="@timestamp" dateFormat="rfc3339" position.from="9"
> position.to="10") }
>
>
> Let's date will be 2014-07-01T01:30:00.000000+03:00
>
> if we extract template index using "es_index-default" - we'll get
> "X-Y-2014-07-01". But in fact, the correct date relatively to ES timestamp
> needs to be "X-Y-2014-06-30". Properties "$month" and "$date" gets the
same
> numbers.
>
> Can you add a property option that helps getting $month/$date/ (may
be
> rfc3339) as absolute (UTC) value? Thanks!
>
> ---
> Best regards,
> Eugene Istomin
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
