Handling multiple timezones
After some googling and reading the admin guide, I think what I want to do is not possible. But I'd like confirmation. My syslog-ng server gets syslog messages from clients with two timezones: UTC and US/Pacific. But the UTC clients (ESXi servers) cannot specify the UTC timezone, so the collector incorrectly assumes the timestamps are local (US/Pacific). I'd really like to convert the UTC timezone to US/Pacific so my entire output is in US/Pacific. But the only place I can specify a source timezone is in the source section - however both client groups send syslogs to the same source so I cannot do that. So potential workarounds are: A. Set all the clients to output in the UTC timezone so that I can set UTC in the common source and then convert to US/Pacific as the default output timezone. B. Setup another IP address to collect syslogs, and set the different timezone on that source (and configure all of those timezones clients to syslog to a different IP). This means you need N IP addresses to collect N different timezones. Is it considered "Best Practice" to have all clients send syslogs in UTC timezone to avoid this complication? Any help is appreciated. Thanks, Chris
Hi, while there might be other options, I can think of the following possibilities: - Your B solution would work for the same IP address but using different ports for the different time zones - If all your clients in the US/Pacific timezone can include the timezone information, you can set the time_zone() option of your source to UTC, and syslog-ng will apply this information only to the messages that do not include timezone information. - If the above does not work, and you must stick to a single source, you can try to use a filter to select the clients of the Pacific timezone (using the host or the netmask filter for example), and send these messages into a loop destination (a socket or the loopback interface). That way you can set the timezone, and re-read the messages from a second, local source. Of course, this might be problematic performance-wise, this depends on the amount of messages. Robert On 04/06/2012 12:03 AM, Chris Hiestand wrote:
After some googling and reading the admin guide, I think what I want to do is not possible. But I'd like confirmation.
My syslog-ng server gets syslog messages from clients with two timezones: UTC and US/Pacific. But the UTC clients (ESXi servers) cannot specify the UTC timezone, so the collector incorrectly assumes the timestamps are local (US/Pacific). I'd really like to convert the UTC timezone to US/Pacific so my entire output is in US/Pacific. But the only place I can specify a source timezone is in the source section - however both client groups send syslogs to the same source so I cannot do that.
So potential workarounds are: A. Set all the clients to output in the UTC timezone so that I can set UTC in the common source and then convert to US/Pacific as the default output timezone. B. Setup another IP address to collect syslogs, and set the different timezone on that source (and configure all of those timezones clients to syslog to a different IP). This means you need N IP addresses to collect N different timezones.
Is it considered "Best Practice" to have all clients send syslogs in UTC timezone to avoid this complication?
Any help is appreciated. Thanks, Chris
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thanks Robert. Thanks for pointing out the use of different ports, that is a good idea I overlooked. Your second solution unfortunately isn't possible and your third, though quite clever, seems not worth the trouble to me. The timezone problem I'm having is minor and I'd rather just deal with it than jump through such hoops. I'm dissapointed that there isn't a more elegant solution for this problem. I assume it's a very common problem since there's a lot of syslog clients out that that don't allow you to include TZ information. I might give the multi-port trick a try, thanks. -Chris On Apr 6, 2012, at 1:36 AM, Fekete Robert wrote:
Hi, while there might be other options, I can think of the following possibilities:
- Your B solution would work for the same IP address but using different ports for the different time zones - If all your clients in the US/Pacific timezone can include the timezone information, you can set the time_zone() option of your source to UTC, and syslog-ng will apply this information only to the messages that do not include timezone information. - If the above does not work, and you must stick to a single source, you can try to use a filter to select the clients of the Pacific timezone (using the host or the netmask filter for example), and send these messages into a loop destination (a socket or the loopback interface). That way you can set the timezone, and re-read the messages from a second, local source. Of course, this might be problematic performance-wise, this depends on the amount of messages.
Robert
On 04/06/2012 12:03 AM, Chris Hiestand wrote:
After some googling and reading the admin guide, I think what I want to do is not possible. But I'd like confirmation.
My syslog-ng server gets syslog messages from clients with two timezones: UTC and US/Pacific. But the UTC clients (ESXi servers) cannot specify the UTC timezone, so the collector incorrectly assumes the timestamps are local (US/Pacific). I'd really like to convert the UTC timezone to US/Pacific so my entire output is in US/Pacific. But the only place I can specify a source timezone is in the source section - however both client groups send syslogs to the same source so I cannot do that.
So potential workarounds are: A. Set all the clients to output in the UTC timezone so that I can set UTC in the common source and then convert to US/Pacific as the default output timezone. B. Setup another IP address to collect syslogs, and set the different timezone on that source (and configure all of those timezones clients to syslog to a different IP). This means you need N IP addresses to collect N different timezones.
Is it considered "Best Practice" to have all clients send syslogs in UTC timezone to avoid this complication?
Any help is appreciated. Thanks, Chris
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Chris Hiestand
-
Fekete Robert