Sebastian Roland seroland86 at gmail.com
Mon Oct 30 15:02:01 UTC 2017


after reading the admin guide and playing around with different setups
several times I'm still struggling to fully understand the timezone
functionality of syslog-ng.

How are time-zone() / recv-time-zone() and send-time-zone() related?

Some notes I made during investigation:

* Logging through syslog() function logs in old BSD syslog format which
does not contain a timezone. recv-time-zone() is utilized to assign a
timezone. If no value has been specified the local time zone is used.
* According to the admin guide send-time-zone() is only used when the
timezone is not specified otherwise. This didn't turned out to be true.

Syslog server a sends via syslog protocol over tcp (timezone is part of
the message) to server b. setting send-time-zone(x) on server b changes
the timezone (and timestamp) in the destination file to the time in
timezone x.
If send-time-zone() is not set at all nothing happens although the
admin guide states that the default is to use the local timezone. IMHO
no change should be applied to the message. Note that keep-
timestamp(yes) is set on server b.

* If both time-zone() and send-time-zone() are set globally time-zone() 
overrides send-time-zone()

* time-zone() can be set globally and on drivers. Specific settings
overrides global config.

The confusing part is the behavior when a timestamp is already set
within an incoming message and send-time-zone() is explicitly set (with
keep-timestamp(yes)). Is it actually intended that send-time-zone()
changes a timestamp?

Shouldn't the logic be that recv-time-zone() and send-time-zone() are
only relevant when there is no tz offset available and a default one
needs to be set for receiving and sending respectively and time-zone()
is used to actually convert to a different timezone?

If I'm getting something fundamentally wrong please advice.

