[syslog-ng] Syslog-ng timestamp problem

Zoltán Pallagi pzolee at balabit.hu
Fri Jun 3 14:46:17 CEST 2011 

Hi,

general description about timezone in syslog-ng:
* If no timezone information in the incoming message, syslog-ng will 
assign the local timezone for the message by default
  * The default timezone can be overridden using the global 
recv_time_zone() or source specific time_zone() option
* If the incoming message contains timezone information, syslog-ng will 
use it as timezone

Because BSD syslog protocol does not contain timezone information in 
timestamp by default (example for BSD timestamp: Jan  1 14:45:22), if 
your client send BDS style messages, syslog-ng will use the local timezone.
There are two possible solutions:
  * you can override the default timezone using the above options 
(time_zone(), recv_time_zone())
  * you can change the default timestamp type for the sent messages in 
the clients. To change it use the 'ts_format("iso")' option in every 
client configuration, after changing, syslog-ng will use an extended 
timestamp for BSD messages (e.g.: 2011-03-24T15:13:45+01:00).

Also, there is a third solution, you can use syslog protocol (rfc 5424) 
instead of BSD, in this case you can use syslog() sources on the server, 
and syslog() destination on the clients, the default timestamp for 
syslog protocol is ISO date.


On 2011-06-02 16:37, Tamas Szklenar wrote:
> Hi,
>
> I configured a syslog-ng server and several clients for testing and it
> is working great, my only problem is with the timestamp() option.
> We have a lot of computer in different time zones and I would like to
> set up the system to keep the messages time stamps.
> Here is the config for the syslog-ng server:
>
> options {
>           flush_lines(5);
>           flush_timeout(1000);
>           time_reopen(10);
>           log_fifo_size(1000);
>           long_hostnames(off);
>           use_dns(yes);
>           dns_cache_hosts(/etc/hosts);
>           use_fqdn(no);
>           create_dirs(yes);
>           dir_perm(0700);
>           keep_hostname(yes);
>           keep_timestamp(yes);
>           stats_freq(0);
>           };
>
> Is there something else what I have to whit this?
>
> Thanks for your help!
>
> Tamas
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>

More information about the syslog-ng mailing list