This is true, and why ALL timestamps should contain an offset.
Also, your note about custom templates and somewhat incomplete
functionality is exactly why I replied that there is not a "graceful"
way to do it. I've tried it, and it's not easy or straightforward even
with the new syntax.
Unless I missed something, you have to use format_time and parse_time.
Doing so loses any fractional seconds. I was also unable to figure out
how to make rsyslog tell you the TZ offset of the server it's running
on. This would be useful for appending to events that you know are from
the same timezone, but don't have the offset specified within.
Thanks for the reply,
On 6/9/20 1:47 PM, David Lang wrote:
John, SIEMs and other systems can only work with what they are given,
if they get invalid timestamps, they have to be able to figure out
what the correct timestamp is, and that is sometimes far harder than
it should be if the logs are being forwarded
David Lang
On Tue, 9 Jun 2020, John Chivian via rsyslog wrote:
Date: Tue, 9 Jun 2020 05:59:14 -0500
From: John Chivian via rsyslog <[email protected]>
To: [email protected]
Cc: John Chivian <[email protected]>
Subject: Re: [rsyslog] stupid question about timestamp modification
There is not a graceful way to do what you're asking, nor would you
want to. UTC never shifts, other time zones do and if you don't
account for this events get displaced on the timeline. It's best to
deliver the events to a system (like a SIEM) that will put events on
the timeline correctly regardless of timezone.
Regards,
On 6/9/20 1:25 AM, Eero Volotinen via rsyslog wrote:
Hi,
My cisco asa support only utc timestamp or no timestamp in syslogs.
Is it possible to modify timestamp in rsyslog and then resend to remote
syslogger?
How?
Eero
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
