Red Hat derivative OS: syslog & syslog-ng logging to /var/log/secure are mixing local time zone & UTC

Jose R R jose.r.r at metztli.com
Thu Mar 17 13:24:53 UTC 2011 

On Wed, Mar 16, 2011 at 2:09 PM, Georgios Magklaras
<georgios at biotek.uio.no> wrote:
> On 03/16/2011 05:46 PM, Jose R R wrote:
>>
[]
> Syslogd should have an option for /etc/syslog.conf called
>  keep_timestamp(no)
>
> if you really want to use the syslog server's timestamp (to get your local
> time and thus eliminate time difference issues), instead of the one in the
> message, make sure you include this in your config file and that should fix
> it.

Indeed that did fix the mixing of TZ & UTC timestamps in
/var/log/secure file. Now I am satisfied to have a uniform time
logging scheme.

Nevertheless, the original /etc/syslog.conf that comes with Red Hat
derivatives (like CentOS 5.x) does not necessarily have an intuitive
section of where to insert the line you suggested above. Hence, I took
syslog-ng's /etc/syslog-ng/syslog-ng.conf and added your directive at
the bottom of the options:

options {
    sync (0);
   ...
    keep_timestamp (no);
};

And it worked.

GNU/Linux Debian 5 & 6.0 use rsyslog, hence /etc/rsyslog.conf has a default of:

# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

And I never experienced the complaint I posted as I managed those
distribution instances.

Anyhow I appreciate your helpful advice. And yes, I will also be
looking into below resource.

>
> BTW, I can't help but mention that LUARM (http://luarm.sourceforge.net/)
> does not suffer from these problems. Timing is a very important issue in log
> correlation. Syslog(-ng) are just log aggregators and as you see the default
> settings are not always the best for response tools.
>
> GM


Thank You and Best Professional Regards.


-- 
Jose R R
http://www.metztli-it.com
---------------------------------------------------------------------------------------------
IBM Lotus Symphony supported on GNU/Linux, Mac OS, and Windows.
---------------------------------------------------------------------------------------------
Daylight Saving Time in USA & Canada starts: Sunday, March 13 2011
---------------------------------------------------------------------------------------------

More information about the redhat-list mailing list