On Mon, 23 Nov 2015, Dov Murik wrote:
On Mon, 23 Nov 2015, Dov Murik wrote:
We're considering using syslog format for messages from "things"
(small low-power devices), and would like not to rely on their
real-world clocks (some of them might not have a real-world clock at
all).
they still have a clock, it just may not be synced with the real-world.
You're right. In my case some devices reset the clock to zero on every
power loss, so it'll be *very* out-of-sync with the real-world time.
yep, but most IoT devices end up providing some sort of scheduling, so I expect
that most of them will have some way to get the approximate time (not
necessarily a full blown ntp, but some sort of time query)
Note that rsyslog has both the timestamp from the message, and the
timereceived on the server. If you are getting data from a source with a
known-bad clock, make use of timereceived.
That's what I want to do (and expected that rsyslog will do it
automatically if it received "-" in the timestamp field).
As Rainer said, it's an oversight that they didn't imagine anyone would actually
use that option.
Also note that RFC5424 and it's structured data approach has ended up
being a dud in practice. In practice, it's better to send your log data
structured as JSON in the body of the message. The only advantage of
RFC5424 is the timestamp in the message (high precision with timezone and
year)
Thanks for the advice. Can you point me to some info/discussions about the
problems with the Structured Data format and decisions to abandon it? I can
clearly see that using JSON makes it easier to throw log lines into
ElasticSearch and similar.
It's less a decision to abandon the rfc5424 structured data as it is people
ignoring it and never starting to use it in the first place. All the modern
logging daemons support getting/creating JSON data. It allows for multi-layer
structures, and everything is tagged (both gaps with the rfc5424 structured
data). JSON also has the option that programs can use it even iwth older syslog
daemons. There's no standard way for programs to create rfc5424 structured data
when writing to the logger on the local system.
The main reason I see to use rfc5424 mode is that there is a lot of software out
there that truncates logs in tradtional syslog mode, but doesn't in rfc5424 mode
:-/ (and the added timestamp detail is nice)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
