[syslog-ng] Time zone problem - take 2

Thu Jun 9 14:35:09 CEST 2011

On Mon, 2011-06-06 at 12:30 -0400, Tamas Szklenar wrote:
> Hi,
> 
> I tried to configure the time zones about the manuals, but it is not 
> working for me and I have no more ideas...
> Our syslog-ng server located in Cambridge, US (UT-04:00) and one of our 
> client computers is in Arizona (UT-07:00). I tried to set up the config 
> files with these time zones.
> 
> I attached the config files to my mail, could you please help to solve 
> this problem?

You are specifying time-zone option on both the client and the server,
which may not be what you want (although can be).

When syslog-ng receives a message, it tries to identify its timezone
offset. The algorithm used is:
  - if the message has a timezone field in the timestamp, use that
(ISODATE has that, traditional BSD doesn't)

  - if it has no timezone information, the current local time zone of
the syslog-ng instance is used

Once the timezone is identified, both the timezone and the UTC timestamp
is remembered for the message until it reaches its destination.

When processing the message on the destination side, the timezone of the
output timestamp is calculated as follows:

  - if the destination has no time-zone specified, then the message
timezone is used verbatim. (e.g. whatever was identified when receiving
it will be used on the output)

  - if the destination does have a time-zone() option, a time-zone
conversion takes place: the timestamp is converted from its source
timezone to the destination time-zone.

In your case, you have two syslog-ng instances, one on the client, and
one on the server.

On the client, the sender of the message is the application, which is
then received by the local syslog-ng process and then sent out to the
server. In this case, the local timezone is associated with the message
(e.g. -07:00), which is then sent out. Since there's a timezone option
for your destination:

destination d_net { 
        tcp("xxxxxxxxx" port(xxxxx) 
        tls(ca_dir("/etc/ssl"))
        time_zone(-07:00));
        };

It'll be converted to -07:00, which is a NOP. But since the timestamp
style is not specified in the global options (ts_format), nor in the
destination itself, and no template is used (with the $ISODATE macro),
syslog-ng will use the traditional BSD syslog format with a legacy
timestamp, which has no year nor timezone information.

This is then received by the server. The server has a time-zone option
in its source:

         tcp(
                ip(xxx.xxx.xxx.xxx) 
                port(xxxxx) 
                max-connections(100)
                tls
                (       
                key_file("/etc/ssl/demoCA/external-server.key")
                cert_file("/etc/ssl/demoCA/external-server.csr")
                peer_verify(optional-untrusted)
                )
                time_zone(-04:00)
                );

Since there's no timezone information in the message as it comes in,
syslog-ng will _assume_ that it is -04:00, which is certainly not the
case, as we know that it's -07:00.

Is it possible that this is where it went wrong?

Also, newer versions of syslog-ng (I think it was starting with 3.0)
supports specifying timezones via names, (e.g. Europe/Budapest instead
of +01:00), which has the benefit that syslog-ng will properly recognize
daylight saving times.

-- 
Bazsi