Thank you David: It is looking like I will have to add a timestamp to all the log entries. As I am not interested in forwarding, consolidating, or processing, I really won't need to apply any additional routines.
I can probably do some isolated tests outside of systemd, but still would like to see a way for the log to show time values related to the time of the event rather than the time the log record is written (which is what I think I am seeing). If it is possible to do this with rsyslog, I would like to give it a try before adding another timestamp. Your information has helped me learn more about this, and I appreciate it. Best regards, Bryan Hunter On Sat, Nov 9, 2019, at 11:04 PM, David Lang wrote: > First off, going through systemd means that you are dependent on the times > that > systemd reports, because there is a delay between when the app writes the log > and when systemd lets rsyslog see it. > > the best thing is to have the app write a timestamp :-) > > next, use imjournal to fetch the logs from journald and parse the metadata > provided (gets you the time that systemd reports) > > next, rsyslog has a message property (i.e. variable) that says when rsyslog > received the message > > then, when you forward the message, you want to NOT set the traditional > forward > format, the default on current versions of rsyslog will send it out with a > high > precision timestamp > > does this answer your questions? > > David Lang > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
