[syslog-ng] Timestamp inconsistency
Tim Boyer
tim at denmantire.com
Tue Jun 26 16:49:52 CEST 2007
>
> The timezone conversions that you specified (all incoming messages
> treated as -04:00 and then converted to -04:00 as written out), is a
> noop.
>
> >
> > I don't understand why it's not logging as local time
> without me having to
> > do anything. And I _really_ don't understand why the
> explicit instructions
> > don't work.
> >
> > Pounters in the the right direction appreciated...
>
> When an incoming message specifies a timezone (which logger
> will not do
> by itself), syslog-ng uses that information to convert the time to UTC
> (e.g. GMT+0). If the message does not contain such information in the
> first place, it will _assume_ that it comes from the local
> timezone. The
> explicit timezone instructions only change this assumption.
>
> If a program generates messages using an incorrect timezone (e.g. ssh,
> or in the case above logger), and it does _NOT_ include this timezone
> information in the message (which the legacy syslog protocol
> cannot do),
> then syslog-ng has no means to do anything without further
> information.
> What you can do however, is to force sshd to log to a different socket
> instead of /dev/log and associate a different recv_time_zone() to the
> source handling this different socket. This is not easy, as there's no
> means to override the /dev/log socket when using the syslog functions
> from libc (which sshd does).
>
> So the easiest fix is to fix sshd.
>
I'll get right on that... :)
Seriously, thanks for the detailed explanation - I know what's happening
now, at least. It's Red Hat RHEL5, so it's as up-to-date as I'm going to
get, but I'll at least let them know it's a problem.
--
Tim Boyer
Director IT and Engineering Projects
Denman Tire Corporation
More information about the syslog-ng
mailing list