On Thu, 2009-01-15 at 15:03 +0800, Charles Chan wrote:
Recently I use the syslog-ng for log collection environment encountered a time zone problem,hope somebody can help me.Thanks The environment is like this: The apache server(PDT timezone,UTC-8) forword apache log through syslog to the syslog-ng server(CST timezone,UTC+8). The server with same time zones no problem between the forward. Syslog-ng test configuration is as follows: destination int_apache (file ( "/ disk3/cookie_logs/pid1 / $ YEAR-$ MONTH-$ DAY / $ (HOST). apache.log" time_zone (-08:00) template ( "$ DAY-$ HOUR $ S_DAY-$ S_HOUR $ R_DAY-$ R_HOUR $ $ ISODATE $ MSGONLY \ n ") template_escape (no)););
The original apache log is: 58.240.69.161 - - - [14/Jan/2009: 22:27:47 -0800] "GET / www.example.com/ HTTP/1.1" 200 2028 "-" "Mozilla/4.0 ( compatible; MSIE 7.0; Windows NT 5.1) "
The syslog-ng server generated log is: 14-22 14-22 14-22 2009-01-14T22 :27:47-08: 00 58.240.69.161 - - - [14/Jan/2009: 22:27:47 -0800] "GET / www.example. com / HTTP/1.1 "200 2028" - "" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) "
Originally generated documents should be kept in /disk3/cookie_logs/pid1/2009-01-14 However, the actual file is stored in the /disk3/cookie_logs/pid1/2009-01-15 It can be seen, in fact, syslog-ng configuration item file() use the $DAY and template() use the $DAY not with a identical Macros. Is this the syslog-ng a bug? or I configuration errors. Who can help me answer you?Thanks!
Well, as I researched this area, there's some version dependance here. In syslog-ng 2.1 (and probably 2.0, but I haven't checked) if you use the time related macros in a filename, then the timestamps are converted to use the local timezone of the syslog-ng process. In the examples above, the time_zone() option only affects the _contents_ of the file, and not the filenames. In 3.0 this "behaviour" is fixed and the timezone of the timestamp is used, without alteration. (and NOTE that in 3.0 the timezone handling was expanded significantly, e.g. you can specify a location _by name_ instead of using plain timezone offsets which do not support day-light-saving) -- Bazsi