Hello! I'm trying to log messages with ISO timestamps from different timezones. Example through TCP: <140>2006-11-05T05:15:15+01:00 1 2 3 <140>2006-11-05T05:15:15+02:00 1 2 3 <140>2006-11-05T05:15:15+03:00 1 2 3 The syslog-ng's node is in +01:00 timzone. I left all the time_zone() on default. Template used: template t_year { template("$S_ISODATE $R_ISODATE $S_HOUR: $MSGONLY\n"); }; Result in the log: 2006-11-05T05:15:15.000000+01:00 2006-11-09T16:12:10+01:00 05: 2 3 2006-11-05T07:15:15.000000+02:00 2006-11-09T16:11:41+01:00 07: 2 3 2006-11-05T09:15:15.000000+03:00 2006-11-09T16:12:37+01:00 09: 2 3 There's nothing wrong with the R_ISODATE, but I don't understand the S_ISODATE. When I log with the syslog-ng node timezone it writes the right value, but when I change the timezone in the TCP message the S_HOUR increases! I would like to see the original timestamp from the message and the R_ISODATE right next to each other. Why is the S_ISODATE increased? Can S_HOUR now be used in file name templates??? Thanks in advance, Balazs Szeti
On Thu, 2006-11-09 at 16:04 +0100, Szeti, Balazs wrote:
Hello!
I'm trying to log messages with ISO timestamps from different timezones. Example through TCP: <140>2006-11-05T05:15:15+01:00 1 2 3 <140>2006-11-05T05:15:15+02:00 1 2 3 <140>2006-11-05T05:15:15+03:00 1 2 3
The syslog-ng's node is in +01:00 timzone. I left all the time_zone() on default.
Template used: template t_year { template("$S_ISODATE $R_ISODATE $S_HOUR: $MSGONLY\n"); };
Result in the log: 2006-11-05T05:15:15.000000+01:00 2006-11-09T16:12:10+01:00 05: 2 3 2006-11-05T07:15:15.000000+02:00 2006-11-09T16:11:41+01:00 07: 2 3 2006-11-05T09:15:15.000000+03:00 2006-11-09T16:12:37+01:00 09: 2 3
There's nothing wrong with the R_ISODATE, but I don't understand the S_ISODATE. When I log with the syslog-ng node timezone it writes the right value, but when I change the timezone in the TCP message the S_HOUR increases! I would like to see the original timestamp from the message and the R_ISODATE right next to each other. Why is the S_ISODATE increased? Can S_HOUR now be used in file name templates???
Does your client include timezone information in the messages it sends? syslog-ng can do so, but only if you change the protocol template (assuming you are using syslog-ng 2.0.x) -- Bazsi
Yes. I send these line to syslog-ng's TCP port with telnet: <140>2006-11-05T05:15:15+01:00 1 2 3 <140>2006-11-05T05:15:15+02:00 1 2 3 <140>2006-11-05T05:15:15+03:00 1 2 3 I use syslog-ng 2.0.0rc3. -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Thursday, November 09, 2006 5:25 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] timezones On Thu, 2006-11-09 at 16:04 +0100, Szeti, Balazs wrote:
Hello!
I'm trying to log messages with ISO timestamps from different timezones. Example through TCP: <140>2006-11-05T05:15:15+01:00 1 2 3 <140>2006-11-05T05:15:15+02:00 1 2 3 <140>2006-11-05T05:15:15+03:00 1 2 3
The syslog-ng's node is in +01:00 timzone. I left all the time_zone() on default.
Template used: template t_year { template("$S_ISODATE $R_ISODATE $S_HOUR: $MSGONLY\n"); };
Result in the log: 2006-11-05T05:15:15.000000+01:00 2006-11-09T16:12:10+01:00 05: 2 3 2006-11-05T07:15:15.000000+02:00 2006-11-09T16:11:41+01:00 07: 2 3 2006-11-05T09:15:15.000000+03:00 2006-11-09T16:12:37+01:00 09: 2 3
There's nothing wrong with the R_ISODATE, but I don't understand the S_ISODATE. When I log with the syslog-ng node timezone it writes the right value, but when I change the timezone in the TCP message the S_HOUR increases! I would like to see the original timestamp from the message and the R_ISODATE right next to each other. Why is the S_ISODATE increased? Can S_HOUR now be used in file name templates???
Does your client include timezone information in the messages it sends? syslog-ng can do so, but only if you change the protocol template (assuming you are using syslog-ng 2.0.x) -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Thu, 2006-11-09 at 17:29 +0100, Szeti, Balazs wrote:
Yes. I send these line to syslog-ng's TCP port with telnet: <140>2006-11-05T05:15:15+01:00 1 2 3 <140>2006-11-05T05:15:15+02:00 1 2 3 <140>2006-11-05T05:15:15+03:00 1 2 3
Can you check if the attached patch fixes this issue? I'd appreciate some more thorough tests on the timezone code, it is quite tricky to get right. -- Bazsi
Hello! Yes! It seems, that the fix solved the problem. I haven't checked everything yet, but the timestamps was just like I expected them. Thanks! As far I see (and maybe it was also written in the manual) if I use the S_XXXX macros in file name, then the time is converted to the local timezone and the file is created with a name according to the received timestamp converted to local timezone. In the logged line the original timezone is used at the same time. Well, it's just fine for me, but it's not a consistent way of using the S_XXXX macros. Should it be configured? :) I will report, if I find a bug with timezones! Thanks for the quick response, I hope we will see the fix in a release soon. Best regards, Balazs Szeti -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Friday, November 10, 2006 11:28 AM To: Syslog-ng users' and developers' mailing list Subject: RE: [syslog-ng] timezones On Thu, 2006-11-09 at 17:29 +0100, Szeti, Balazs wrote:
Yes. I send these line to syslog-ng's TCP port with telnet: <140>2006-11-05T05:15:15+01:00 1 2 3 <140>2006-11-05T05:15:15+02:00 1 2 3 <140>2006-11-05T05:15:15+03:00 1 2 3
Can you check if the attached patch fixes this issue? I'd appreciate some more thorough tests on the timezone code, it is quite tricky to get right. -- Bazsi
On Fri, 2006-11-10 at 14:57 +0100, Szeti, Balazs wrote:
Hello!
Yes! It seems, that the fix solved the problem. I haven't checked everything yet, but the timestamps was just like I expected them. Thanks!
As far I see (and maybe it was also written in the manual) if I use the S_XXXX macros in file name, then the time is converted to the local timezone and the file is created with a name according to the received timestamp converted to local timezone. In the logged line the original timezone is used at the same time. Well, it's just fine for me, but it's not a consistent way of using the S_XXXX macros. Should it be configured? :)
It used to be configurable, but I thought it'd be even more confusing (at least for me :) In my opinion, any time interpreted and used by syslog-ng itself should use the local time zone, just as any other program running on the same host does this. This way S_HOUR in filenames is the same for two messages generated at the same time but coming with a different zone offset. E.g. if you have something like: file("/var/log/messages-${S_YEAR}-${S_MONTH}-${S_DAY}-${S_HOUR}.log Then if syslog-ng would use the original zone offset in filename expansion, you'd get two files. In reality those messages were generated in the same hour. Inside the file however you get the original timestamp but also with proper timezone information, the logic behind this is to preserve the information that it was _originally_ received with a different timestamp. This is the default behaviour, however you can also "force" the contents of the file to use a unified timezone using the timezone() option of the destination, e.g. file("/var/log/messages" time_zone("+01:00")) -- Bazsi
participants (2)
-
Balazs Scheidler
-
Szeti, Balazs