[syslog-ng] Handling multiple timezones
Chris Hiestand
chiestand at salk.edu
Sat Apr 7 02:49:41 CEST 2012
Thanks Robert. Thanks for pointing out the use of different ports, that is a good idea I overlooked. Your second solution unfortunately isn't possible and your third, though quite clever, seems not worth the trouble to me. The timezone problem I'm having is minor and I'd rather just deal with it than jump through such hoops.
I'm dissapointed that there isn't a more elegant solution for this problem. I assume it's a very common problem since there's a lot of syslog clients out that that don't allow you to include TZ information.
I might give the multi-port trick a try, thanks.
-Chris
On Apr 6, 2012, at 1:36 AM, Fekete Robert wrote:
> Hi, while there might be other options, I can think of the following possibilities:
>
> - Your B solution would work for the same IP address but using different ports
> for the different time zones
> - If all your clients in the US/Pacific timezone can include the timezone
> information, you can set the time_zone() option of your source to UTC, and
> syslog-ng will apply this information only to the messages that do not include
> timezone information.
> - If the above does not work, and you must stick to a single source, you can try
> to use a filter to select the clients of the Pacific timezone (using the host or
> the netmask filter for example), and send these messages into a loop destination
> (a socket or the loopback interface). That way you can set the timezone, and
> re-read the messages from a second, local source. Of course, this might be
> problematic performance-wise, this depends on the amount of messages.
>
>
> Robert
>
> On 04/06/2012 12:03 AM, Chris Hiestand wrote:
>
>> After some googling and reading the admin guide, I think what I want to do is not possible. But I'd like confirmation.
>>
>> My syslog-ng server gets syslog messages from clients with two timezones: UTC and US/Pacific. But the UTC clients (ESXi servers) cannot specify the UTC timezone, so the collector incorrectly assumes the timestamps are local (US/Pacific). I'd really like to convert the UTC timezone to US/Pacific so my entire output is in US/Pacific. But the only place I can specify a source timezone is in the source section - however both client groups send syslogs to the same source so I cannot do that.
>>
>> So potential workarounds are:
>> A. Set all the clients to output in the UTC timezone so that I can set UTC in the common source and then convert to US/Pacific as the default output timezone.
>> B. Setup another IP address to collect syslogs, and set the different timezone on that source (and configure all of those timezones clients to syslog to a different IP). This means you need N IP addresses to collect N different timezones.
>>
>> Is it considered "Best Practice" to have all clients send syslogs in UTC timezone to avoid this complication?
>>
>> Any help is appreciated. Thanks,
>> Chris
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2322 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120406/0f290942/attachment-0001.bin
More information about the syslog-ng
mailing list