In some email I received from Rainer Gerhards, sie wrote: > Hi all, > > A current discussion on the loganalysis mailing list has shown that many > people are not quite happy with the syslog timestamp. Specifically, the > absence of time zone information is causing problems to many > geographically spread locations. > > The problem with the current [RFC3164] timestamp is that it is not > possible to reliably consolidate log data over multiple time zones, not > even when proper time synchronization is in place. The only way to do > this would be to configure the central collector(s) to know each device > generating syslog messages and be configured to adjust the reported time > accordingly. Obviously, this is error-prone and work-intensive. > > As such, I am asking for a modification to the current syslog-sign > draft, specifically section 2.2 (HEADER) where the TIMESTAMP is > discussed. I suggest that a timestamp as described in [RFC3339] > "date-time" format should become recommended but the [RFC3164] timestamp > should still be allowed (but be depraciated). That way, it would be > possible for a collector to detect both formats and act on the less > precise accordingly. > > Any support for this on the WG?
I think that this is getting into message content and that's outside the charter for this WG.
