[syslog-ng] Handling multiple timezones

Fekete Robert frobert at balabit.hu
Fri Apr 6 10:36:22 CEST 2012 

Hi, while there might be other options, I can think of the following  possibilities:

- Your B solution would work for the same IP address but using different ports 
for the different time zones
- If all your clients in the US/Pacific timezone can include the timezone 
information, you can set the time_zone() option of your source to UTC, and 
syslog-ng will apply this information only to the messages that do not include 
timezone information.
- If the above does not work, and you must stick to a single source, you can try 
to use a filter to select the clients of the Pacific timezone (using the host or 
the netmask filter for example), and send these messages into a loop destination 
(a socket or the loopback interface). That way you can set the timezone, and 
re-read the messages from a second, local source. Of course, this might be 
problematic performance-wise, this depends on the amount of messages.


Robert

On 04/06/2012 12:03 AM, Chris Hiestand wrote:

> After some googling and reading the admin guide, I think what I want to do is not possible. But I'd like confirmation.
>
> My syslog-ng server gets syslog messages from clients with two timezones: UTC and US/Pacific. But the UTC clients (ESXi servers) cannot specify the UTC timezone, so the collector incorrectly assumes the timestamps are local (US/Pacific). I'd really like to convert the UTC timezone to US/Pacific so my entire output is in US/Pacific. But the only place I can specify a source timezone is in the source section - however both client groups send syslogs to the same source so I cannot do that.
>
> So potential workarounds are:
> A. Set all the clients to output in the UTC timezone so that I can set UTC in the common source and then convert to US/Pacific as the default output timezone.
> B. Setup another IP address to collect syslogs, and set the different timezone on that source (and configure all of those timezones clients to syslog to a different IP). This means you need N IP addresses to collect N different timezones.
>
> Is it considered "Best Practice" to have all clients send syslogs in UTC timezone to avoid this complication?
>
> Any help is appreciated. Thanks,
> Chris
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list