[syslog-ng] Please Help problems with timezone and stamping !!
Balazs Scheidler
bazsi at balabit.hu
Fri May 4 17:34:01 CEST 2007
On Thu, 2007-05-03 at 12:16 -0400, Guy Fleegman wrote:
> Hello:
>
> I have several sources that are all reporting to a syslog-ng 2.0.3 server
> My source is
>
> source all_routers { udp(ip(0.0.0.0) port(514));
> };
>
> My problem is that I have one source that is isolated to a separate file
>
> I isolate the file with the following
> filter f_pd_snort { host(intsnort1); };
>
> and have this destination
> destination d_pd_snort { file("/var/log/syslog-ng-logs/pd_snort.1"
> perm(0644) template(t_default)); };
>
> then i use the following command
> log { source(all_routers); filter(f_pd_snort); destination(d_pd_snort); };
>
> The problem is the format the data is arriving in. It send data in UTC time
> as follows
> Apr 30 14:04:35 2007 intsnort1 SFIMS: [119:13:1] Snort Alert
> [Classification: Unknown] [Priority: 3]
> Apr 30 14:04:35 2007 intsnort1 SFIMS: [119:4:1] Snort Alert [Classification:
> Unknown] [Priority: 3]
> Apr 30 14:04:35 2007 intsnort1 SFIMS: [122:3:0] Snort Alert [Classification:
> Unknown] [Priority: 3]
>
> This is UTC. It is the time that is being sent in the actual packet (I
> verified with wireshark)
>
> I want syslog-ng to modify the times going into this file (and this file
> only) to reflect EST time.
>
> Based upon the documentation The following algorithm is used.
>
>
> 1.
>
> The sender can specify the timezone of the messages. If the incoming
> message includes a timezone it is associated with the message. Otherwise,
> the local timezone is assumed.
> 2.
>
> The administrator specifies the *time_zone()* <#sourcecommonopts>parameter
> for the source driver that reads the message. This parameter overrides the
> original timezone of the message. Each source defaults to the value of the
> *recv_time_zone()* <#reference_options>global option.
> 3.
>
> The destination driver specifies the timezone via the *time_zone()*
> <#destcommonopts>parameter. Each destination driver might have an
> associated timezone value to which message timestamps are converted before
> they are sent to the final destination (file or network socket). Each
> destination defaults to the value of the *send_time_zone()*
> <#reference_options>global option. A message can be sent to multiple
> destination zones.
> 4.
>
> When macro expansions are used in the destination filenames, the local
> timezone is used
>
>
> So option #1 is not being done
> I can't use #2 because my source is defined for all devices
> I tried using #3..... with the line modified as
> destination d_pd_snort { file("/var/log/syslog-ng-logs/pd_snort.1"
> perm(0644) time_zone(-04:00) template(t_default)); };
>
> However.. this does not seem to make any difference... Can you please tell
> me why option #3 is not working ....
> and also... why is it that in #1 it is not defauling to just adding the
> local timezone since the incoming message does not have a timezone
> specified.
Hmmm.. setting the time_zone() option changed the date stamp for me,
however not to a good value as the timezone offset was negated.
As I understood your message the timestamps you see does not change at
all. Is that true?
Here's the fix for the negation:
diff --git a/src/cfg.c b/src/cfg.c
index 937d6b4..b5f3a69 100644
--- a/src/cfg.c
+++ b/src/cfg.c
@@ -46,7 +46,7 @@ cfg_timezone_value(gchar *tz, glong *timezone)
isdigit((int) *(tz+1)) && isdigit((int) *(tz+2)) && (*(tz+3) == ':') && isdigit((int) *(tz+4)) && isdigit((int) *(tz+5)))
{
/* timezone offset */
- gint sign = *tz == '-' ? 1 : -1;
+ gint sign = *tz == '-' ? -1 : 1;
gint hours, mins;
tz++;
--
Bazsi
More information about the syslog-ng
mailing list