[syslog-ng] Timezones, daylight saving times and a lot of confusion

Balazs Scheidler bazsi at balabit.hu
Thu Sep 20 08:34:26 CEST 2007 

On Wed, 2007-09-19 at 12:03 +0200, Thomas Gelf wrote:
> Hi list,
> 
> timezones and daylight saving time are causing me a serious headache,
> and I hope that someone can give me a hint :-) Let's start:
> 
> * I have several servers sending syslog (clients) and also several
>   syslog servers (receivers)
> 
> * Most (all) of them are running syslog-ng :o)
> 
> * Local timezone is Europe/Rome (CEST), that's GMT +01:00 and +02:00
>   while summertime
> 
> * All systems have their system clock set to UTC and correct local
>   settings (Europe/Rome)
> 
> * syslog is written to local files on each server (just to be sure
>   to miss nothing in case of network outages etc) + local files on
>   syslog reciever (rotation & archive) + mysql db on syslog reciever
>   (for short history & web app)
> 
> * syslog reciever is currently getting about 60 syslog entries per
>   second, once in full production that will be something like 200 per
>   second
> 
> Even if all of my servers are (at least right now) residing in the same
> timezone I would like to do things the right way. Therefore in my
> believes timestamp should be saved as a UTC value - correct localized
> presentation should be up to my web application.
> 
> Documentation is telling me that:
> 
> > 2.6. Daylight saving changes
> > The syslog-ng application receives the timezone and daylight saving
> > information from the operating system it is installed on. If the
> > operating system handles daylight saving correctly, so does
> > syslog-ng.
> 
> This is great news :-) But what exactly does it mean to me? As told
> before all my systems are running with UTC system clock and CEST local
> timezone.
> 
> Should I set recv_time_zone("+01:00")? Doesn't make sense to me, as
> I need CEST: +01:00 and +02:00!? Should I set send_time_zone('00:00')
> on each syslog client? Can I trust S_UNIXTIME and / or R_UNIXTIME
> (instead of R_HOUR & Co)?
> 

If the clients run syslog-ng, then you should use the ISO timestamp
which includes timezone information. In that case you don't need to
adjust recv_time_zone() at all.

If you want syslog-ng to output an UTC timestamp, then again you won't
need to change any of the timezone related parameters, incoming messages
are converted to UTC internally, so S_UNIXTIME and R_UNIXTIME expand to
the correct value. (UTC is a timezone independent time representation,
it is the same everywhere).

-- 
Bazsi

More information about the syslog-ng mailing list