[syslog-ng] Timezone problem?!

Balazs Scheidler bazsi at balabit.hu
Fri Jan 16 20:37:25 CET 2009


On Thu, 2009-01-15 at 15:03 +0800, Charles Chan wrote:
> Recently I use the syslog-ng for log collection environment
> encountered a time zone problem,hope somebody can help me.Thanks
> The environment is like this:
> The apache server(PDT timezone,UTC-8) forword apache log through
> syslog to the syslog-ng server(CST timezone,UTC+8).
> The server with same time zones no problem between the forward.
> Syslog-ng test configuration is as follows:
> destination int_apache (file ( "/ disk3/cookie_logs/pid1 / $ YEAR-$
> MONTH-$ DAY / $ (HOST). apache.log" time_zone (-08:00) template ( "$
> DAY-$ HOUR $ S_DAY-$ S_HOUR $ R_DAY-$ R_HOUR $ $ ISODATE $ MSGONLY \ n
> ") template_escape (no)););
> 
> The original apache log is: 
> 58.240.69.161 - - - [14/Jan/2009: 22:27:47 -0800] "GET /
> www.example.com/ HTTP/1.1" 200 2028 "-" "Mozilla/4.0 ( compatible;
> MSIE 7.0; Windows NT 5.1) "
> 
> The syslog-ng server generated log is:
> 14-22 14-22 14-22 2009-01-14T22 :27:47-08: 00 58.240.69.161 - - -
> [14/Jan/2009: 22:27:47 -0800] "GET / www.example. com / HTTP/1.1 "200
> 2028" - "" Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) "
> 
> Originally generated documents should be kept in
> /disk3/cookie_logs/pid1/2009-01-14
> However, the actual file is stored in the
> /disk3/cookie_logs/pid1/2009-01-15
> It can be seen, in fact, syslog-ng configuration item file() use the
> $DAY and template()  use the $DAY not with a identical Macros. Is this
> the syslog-ng a bug? or I configuration errors. Who can help me answer
> you?Thanks!

Well, as I researched this area, there's some version dependance here.
In syslog-ng 2.1 (and probably 2.0, but I haven't checked) if you use
the time related macros in a filename, then the timestamps are converted
to use the local timezone of the syslog-ng process. In the examples
above, the time_zone() option only affects the _contents_ of the file,
and not the filenames.

In 3.0 this "behaviour" is fixed and the timezone of the timestamp is
used, without alteration.  

(and NOTE that in 3.0 the timezone handling was expanded significantly,
e.g. you can specify a location _by name_ instead of using plain
timezone offsets which do not support day-light-saving)

-- 
Bazsi




More information about the syslog-ng mailing list