On Mon, 2011-06-06 at 12:30 -0400, Tamas Szklenar wrote:
Hi,
I tried to configure the time zones about the manuals, but it is not working for me and I have no more ideas... Our syslog-ng server located in Cambridge, US (UT-04:00) and one of our client computers is in Arizona (UT-07:00). I tried to set up the config files with these time zones.
I attached the config files to my mail, could you please help to solve this problem?
You are specifying time-zone option on both the client and the server, which may not be what you want (although can be). When syslog-ng receives a message, it tries to identify its timezone offset. The algorithm used is: - if the message has a timezone field in the timestamp, use that (ISODATE has that, traditional BSD doesn't) - if it has no timezone information, the current local time zone of the syslog-ng instance is used Once the timezone is identified, both the timezone and the UTC timestamp is remembered for the message until it reaches its destination. When processing the message on the destination side, the timezone of the output timestamp is calculated as follows: - if the destination has no time-zone specified, then the message timezone is used verbatim. (e.g. whatever was identified when receiving it will be used on the output) - if the destination does have a time-zone() option, a time-zone conversion takes place: the timestamp is converted from its source timezone to the destination time-zone. In your case, you have two syslog-ng instances, one on the client, and one on the server. On the client, the sender of the message is the application, which is then received by the local syslog-ng process and then sent out to the server. In this case, the local timezone is associated with the message (e.g. -07:00), which is then sent out. Since there's a timezone option for your destination: destination d_net { tcp("xxxxxxxxx" port(xxxxx) tls(ca_dir("/etc/ssl")) time_zone(-07:00)); }; It'll be converted to -07:00, which is a NOP. But since the timestamp style is not specified in the global options (ts_format), nor in the destination itself, and no template is used (with the $ISODATE macro), syslog-ng will use the traditional BSD syslog format with a legacy timestamp, which has no year nor timezone information. This is then received by the server. The server has a time-zone option in its source: tcp( ip(xxx.xxx.xxx.xxx) port(xxxxx) max-connections(100) tls ( key_file("/etc/ssl/demoCA/external-server.key") cert_file("/etc/ssl/demoCA/external-server.csr") peer_verify(optional-untrusted) ) time_zone(-04:00) ); Since there's no timezone information in the message as it comes in, syslog-ng will _assume_ that it is -04:00, which is certainly not the case, as we know that it's -07:00. Is it possible that this is where it went wrong? Also, newer versions of syslog-ng (I think it was starting with 3.0) supports specifying timezones via names, (e.g. Europe/Budapest instead of +01:00), which has the benefit that syslog-ng will properly recognize daylight saving times. -- Bazsi