On Wed, Mar 16, 2011 at 2:09 PM, Georgios Magklaras
<georgios@xxxxxxxxxxxxx> wrote:
> On 03/16/2011 05:46 PM, Jose R R wrote:
>>
[]
> Syslogd should have an option for /etc/syslog.conf called
> keep_timestamp(no)
>
> if you really want to use the syslog server's timestamp (to get your local
> time and thus eliminate time difference issues), instead of the one in the
> message, make sure you include this in your config file and that should fix
> it.
Indeed that did fix the mixing of TZ & UTC timestamps in
/var/log/secure file. Now I am satisfied to have a uniform time
logging scheme.
Nevertheless, the original /etc/syslog.conf that comes with Red Hat
derivatives (like CentOS 5.x) does not necessarily have an intuitive
section of where to insert the line you suggested above. Hence, I took
syslog-ng's /etc/syslog-ng/syslog-ng.conf and added your directive at
the bottom of the options:
options {
sync (0);
...
keep_timestamp (no);
};
And it worked.
GNU/Linux Debian 5 & 6.0 use rsyslog, hence /etc/rsyslog.conf has a default of:
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
And I never experienced the complaint I posted as I managed those
distribution instances.
Anyhow I appreciate your helpful advice. And yes, I will also be
looking into below resource.
>
> BTW, I can't help but mention that LUARM (http://luarm.sourceforge.net/)
> does not suffer from these problems. Timing is a very important issue in log
> correlation. Syslog(-ng) are just log aggregators and as you see the default
> settings are not always the best for response tools.
>
> GM
Thank You and Best Professional Regards.
--
Jose R R
http://www.metztli-it.com
---------------------------------------------------------------------------------------------
IBM Lotus Symphony supported on GNU/Linux, Mac OS, and Windows.
---------------------------------------------------------------------------------------------
Daylight Saving Time in USA & Canada starts: Sunday, March 13 2011
---------------------------------------------------------------------------------------------
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
