<div dir="auto"><div>Hi,</div><div dir="auto"><br></div><div dir="auto">Strange indeed. To solve this the logging application and syslog-ng needs to agree on the time-zone being used.</div><div dir="auto"><br></div><div dir="auto">syslog-ng uses the system time-zone by default but it can be overridden using the time-zone() option of the unix-dgram() source driver. </div><div dir="auto"><br></div><div dir="auto">The applications should also use the system time-zone. Here it's usually the libc (glibc or musl) that generates the timestamp. More specifically the syslog() function. It might happen that:</div><div dir="auto"><br></div><div dir="auto">* Some applications bypass the libc api and send its messages directly (util-linux logger does this for instance)</div><div dir="auto">* If an application has its own implementation, it may or may not use the system time-zone properly.</div><div dir="auto"><br></div><div dir="auto">To debug the problem, try to get access to the raw log data as received by syslog-ng.</div><div dir="auto"><br></div><div dir="auto">* It displays the incoming message on the debug level</div><div dir="auto">* You could strace the sending app</div><div dir="auto">* You could tell syslog-ng to store $RAWMSG using flags(store-raw-message) and then look at its value by using a destination that you use for debugging.</div><div dir="auto"><br></div><div dir="auto">In any case, once you recognize what sends the incorrect time-zone, you can probably find a reason why it sends it incorrectly.</div><div dir="auto"><br></div><div dir="auto">If you just want to solve this quickly, use keep-timestamp(no), that way syslog-ng will overwrite the message timestamp with the reception time, and that with correct time-zone.</div><div dir="auto"><br></div><div dir="auto">As a second alternative, you could use the pretty recent flags(guess-timezone) flag which uses a heuristic to fix up the time-zone, assuming the time between sending and receiving the message is less than 30 seconds.</div><div dir="auto"><br></div><div dir="auto">Bazsi</div><div dir="auto"><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Mon, Aug 15, 2022, 18:31 Jeff Kletsky <<a href="mailto:syslogng@allycomm.com" target="_blank" rel="noreferrer">syslogng@allycomm.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">As best as I can determine, there is a time zone problem associated with <br>
how the messages are generated through some of the channels.<br>
<br>
<br>
<a href="https://forum.openwrt.org/t/syslog-ng-timezone-issues/48130" rel="noreferrer noreferrer noreferrer" target="_blank">https://forum.openwrt.org/t/syslog-ng-timezone-issues/48130</a><br>
<br>
<a href="https://forum.openwrt.org/t/utc-timezones-used-for-apps-in-syslog-ng-instead-of-configured-one/45095" rel="noreferrer noreferrer noreferrer" target="_blank">https://forum.openwrt.org/t/utc-timezones-used-for-apps-in-syslog-ng-instead-of-configured-one/45095</a> <br>
<br>
<br>
<a href="https://github.com/openwrt/packages/issues/18633" rel="noreferrer noreferrer noreferrer" target="_blank">https://github.com/openwrt/packages/issues/18633</a><br>
<br>
<a href="https://gitlab.nic.cz/turris/os/packages/-/issues/471" rel="noreferrer noreferrer noreferrer" target="_blank">https://gitlab.nic.cz/turris/os/packages/-/issues/471</a><br>
<br>
<br>
Changing how /dev/log is interpreted may either hide or resolve the <br>
issue, depending on your perspective:<br>
<br>
source s_devlog {<br>
unix-dgram("/dev/log", keep-timestamp(no));<br>
};<br>
<br>
<br>
Jeff<br>
<br>
On 8/14/22 8:56 PM, Francois Marier wrote:<br>
> I'm trying to understand timezones in syslog-ng, but I think there's<br>
> something I'm missing.<br>
><br>
> If I do the following on my OpenWRT machine:<br>
><br>
> /etc/init.d/syslog-ng restart<br>
> logger TestA<br>
><br>
> I see the following in /var/log/messages:<br>
><br>
> Aug 14 20:39:35 hostname syslog-ng[9860]: syslog-ng shutting down; version='3.37.1'<br>
> Aug 14 20:39:36 hostname syslog-ng[10024]: syslog-ng starting up; version='3.37.1'<br>
> Aug 14 20:39:36 hostname syslog-ng[10024]: Syslog connection established; fd='15', server='AF_INET(<a href="http://192.168.1.10" rel="noreferrer noreferrer" target="_blank">192.168.1.10</a>:514)', local='AF_INET(<a href="http://0.0.0.0:0" rel="noreferrer noreferrer noreferrer" target="_blank">0.0.0.0:0</a>)'<br>
> Aug 15 03:39:49 hostname root: TestA<br>
><br>
> The correct timezone is the one in the first three lines. Other daemon<br>
> messages are displayed using the incorrect timezone like `logger`.<br>
><br>
> I've attached my syslog-ng.conf file.<br>
><br>
> So my question is why is the time information correct in the first three<br>
> messages and then incorrect from there on?<br>
><br>
> Francois<br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
</blockquote></div></div></div>