[syslog-ng] Timezone

Fri Dec 1 21:25:42 UTC 2017

Hello Sebastian!

I see you have asked your question a month ago, but hope my answers can
still help you.

Best Regards,
Gabor

On Mon, Oct 30, 2017 at 4:02 PM, Sebastian Roland <seroland86 at gmail.com>
wrote:

> Hi,
>
> after reading the admin guide and playing around with different setups
> several times I'm still struggling to fully understand the timezone
> functionality of syslog-ng.
>
> How are time-zone() / recv-time-zone() and send-time-zone() related?
>
> Some notes I made during investigation:
>
> * Logging through syslog() function logs in old BSD syslog format which
> does not contain a timezone. recv-time-zone() is utilized to assign a
> timezone. If no value has been specified the local time zone is used.

* According to the admin guide send-time-zone() is only used when the
> timezone is not specified otherwise. This didn't turned out to be true.
>
> Example:
> Syslog server a sends via syslog protocol over tcp (timezone is part of
> the message) to server b. setting send-time-zone(x) on server b changes
> the timezone (and timestamp) in the destination file to the time in
> timezone x.
> If send-time-zone() is not set at all nothing happens although the
> admin guide states that the default is to use the local timezone. IMHO
> no change should be applied to the message. Note that keep-
> timestamp(yes) is set on server b.
>
Only using the local timezone if no timezone info is found in the message.

>
> * If both time-zone() and send-time-zone() are set globally time-zone()
> overrides send-time-zone()
>
Both time-zone() and send-time-zone() does the same in global settings
(setting the timezone info for sent messages).
Therefore whichever comes later will be the actual sent timezone.

>
> * time-zone() can be set globally and on drivers. Specific settings
> overrides global config.
>
I think this expected, isn't it?

>
>
> The confusing part is the behavior when a timestamp is already set
> within an incoming message and send-time-zone() is explicitly set (with
> keep-timestamp(yes)). Is it actually intended that send-time-zone()
> changes a timestamp?
>
No, it should not be changed if incoming message has timestamp and
keep-timestamp(yes) is set.

>
>
> Shouldn't the logic be that recv-time-zone() and send-time-zone() are
> only relevant when there is no tz offset available and a default one
> needs to be set for receiving and sending respectively and time-zone()
> is used to actually convert to a different timezone?
>

>
> If I'm getting something fundamentally wrong please advice.
>
To be able to investigate this in detail can you share your configuration,
syslog-ng version, please?
Also if you can share some examples of your incoming log files that would
help a lot, because it can be a log parsing failure.
You said that "Logging through syslog() function logs in old BSD syslog
format ".
Well using syslog() driver requires sending the logs in RFC5424 format, but
your can send old BSD syslog messages if they are framed in RFC5424.

> Kind regards
> Sebastian
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171201/83f5caff/attachment.html>