Hello Sebastian!

I see you have asked your question a month ago, but hope my answers can still help you.

Best Regards,

Gabor

On Mon, Oct 30, 2017 at 4:02 PM, Sebastian Roland <seroland86@gmail.com> wrote:

Hi,

after reading the admin guide and playing around with different setups
several times I'm still struggling to fully understand the timezone
functionality of syslog-ng.

How are time-zone() / recv-time-zone() and send-time-zone() related?

Some notes I made during investigation:

* Logging through syslog() function logs in old BSD syslog format which
does not contain a timezone. recv-time-zone() is utilized to assign a
timezone. If no value has been specified the local time zone is used.

* According to the admin guide send-time-zone() is only used when the
timezone is not specified otherwise. This didn't turned out to be true.

Example:
Syslog server a sends via syslog protocol over tcp (timezone is part of
the message) to server b. setting send-time-zone(x) on server b changes
the timezone (and timestamp) in the destination file to the time in
timezone x.
If send-time-zone() is not set at all nothing happens although the
admin guide states that the default is to use the local timezone. IMHO
no change should be applied to the message. Note that keep-
timestamp(yes) is set on server b.

Only using the local timezone if no timezone info is found in the message.

* If both time-zone() and send-time-zone() are set globally time-zone()
overrides send-time-zone()

Both time-zone() and send-time-zone() does the same in global settings (setting the timezone info for sent messages).

Therefore whichever comes later will be the actual sent timezone.

* time-zone() can be set globally and on drivers. Specific settings
overrides global config.

I think this expected, isn't it?

The confusing part is the behavior when a timestamp is already set
within an incoming message and send-time-zone() is explicitly set (with
keep-timestamp(yes)). Is it actually intended that send-time-zone()
changes a timestamp?

No, it should not be changed if incoming message has timestamp and keep-timestamp(yes) is set.

Shouldn't the logic be that recv-time-zone() and send-time-zone() are
only relevant when there is no tz offset available and a default one
needs to be set for receiving and sending respectively and time-zone()
is used to actually convert to a different timezone?

If I'm getting something fundamentally wrong please advice.

To be able to investigate this in detail can you share your configuration, syslog-ng version, please?

Also if you can share some examples of your incoming log files that would help a lot, because it can be a log parsing failure.

You said that "Logging through syslog() function logs in old BSD syslog format ".

Well using syslog() driver requires sending the logs in RFC5424 format, but your can send old BSD syslog messages if they are framed in RFC5424.

Kind regards
Sebastian
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq