-1

I have a central logging server running rsyslog 7.x on RHEL 6

The logs are coming in with a UTC time but an EST offset for a device.

Here are some relevant configs.

$template TEMPLATE_NAME,"%TIMESTAMP:::date-rfc3339% %fromhost% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

[root@host ]# hwclock Thu 14 Feb 2019 05:35:25 PM EST -0.877530 seconds [root@host ]# date -u Thu Feb 14 22:35:28 UTC 2019 [root@host ]# date Thu Feb 14 17:35:29 EST 2019 [root@host ]#

When I change the localtime to UTC and restart rsyslogd then the offset goes to +00:00 but when the localtime is in EST as it is now, only the offset changes to -05:00 but the time stamp would stay the same.

My goal is to have the logs reflect the local time with the proper offset.

So for a log written at 3PM EST my current outcome is 2019-02-14T20:49:31-05:00 But i would expect 2019-02-14T15:49:31-05:00

Can someone please explain how to achieve this or why I am seeing what I am ?

Jlom84
  • 3
  • 4
  • [so] is for programming questions, not questions about using or configuring Unix and its utilities.. [unix.se] or [su] would be better places for questions like this. – Barmar Feb 14 '19 at 23:55

1 Answers1

1

Can you use the receiving time("timegenerated") instead of the reporting time("TIMESTAMP")?

$template TEMPLATE_NAME,"%timegenerated:::date-rfc3339% %fromhost% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
ccxxshow
  • 844
  • 6
  • 5