Hi David,
On 23 November 2015 at 17:20, David Lang <[email protected]> wrote: > > On Mon, 23 Nov 2015, Dov Murik wrote: > >> We're considering using syslog format for messages from "things" >> (small low-power devices), and would like not to rely on their >> real-world clocks (some of them might not have a real-world clock at >> all). >> > > they still have a clock, it just may not be synced with the real-world. > > You're right. In my case some devices reset the clock to zero on every power loss, so it'll be *very* out-of-sync with the real-world time. > Note that rsyslog has both the timestamp from the message, and the > timereceived on the server. If you are getting data from a source with a > known-bad clock, make use of timereceived. > That's what I want to do (and expected that rsyslog will do it automatically if it received "-" in the timestamp field). > But since logs can be delayed in processing, it's actually better to > record the timestamp from the log message even if you are using > timereceived for the wall-clock time. It gives you better information about > what's going on in the sending system > > Good idea, I'll do that. > Also note that RFC5424 and it's structured data approach has ended up > being a dud in practice. In practice, it's better to send your log data > structured as JSON in the body of the message. The only advantage of > RFC5424 is the timestamp in the message (high precision with timezone and > year) > > Thanks for the advice. Can you point me to some info/discussions about the problems with the Structured Data format and decisions to abandon it? I can clearly see that using JSON makes it easier to throw log lines into ElasticSearch and similar. Best, Dov _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
