Hi all, A current discussion on the loganalysis mailing list has shown that many people are not quite happy with the syslog timestamp. Specifically, the absence of time zone information is causing problems to many geographically spread locations.
The problem with the current [RFC3164] timestamp is that it is not possible to reliably consolidate log data over multiple time zones, not even when proper time synchronization is in place. The only way to do this would be to configure the central collector(s) to know each device generating syslog messages and be configured to adjust the reported time accordingly. Obviously, this is error-prone and work-intensive. As such, I am asking for a modification to the current syslog-sign draft, specifically section 2.2 (HEADER) where the TIMESTAMP is discussed. I suggest that a timestamp as described in [RFC3339] "date-time" format should become recommended but the [RFC3164] timestamp should still be allowed (but be depraciated). That way, it would be possible for a collector to detect both formats and act on the less precise accordingly. Any support for this on the WG? Rainer Gerhards Adiscon
