John, SIEMs and other systems can only work with what they are given, if they
get invalid timestamps, they have to be able to figure out what the correct
timestamp is, and that is sometimes far harder than it should be if the logs are
being forwarded
David Lang
On Tue, 9 Jun 2020, John Chivian via rsyslog wrote:
Date: Tue, 9 Jun 2020 05:59:14 -0500
From: John Chivian via rsyslog <[email protected]>
To: [email protected]
Cc: John Chivian <[email protected]>
Subject: Re: [rsyslog] stupid question about timestamp modification
There is not a graceful way to do what you're asking, nor would you want
to. UTC never shifts, other time zones do and if you don't account for
this events get displaced on the timeline. It's best to deliver the
events to a system (like a SIEM) that will put events on the timeline
correctly regardless of timezone.
Regards,
On 6/9/20 1:25 AM, Eero Volotinen via rsyslog wrote:
Hi,
My cisco asa support only utc timestamp or no timestamp in syslogs.
Is it possible to modify timestamp in rsyslog and then resend to remote
syslogger?
How?
Eero
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
