Rsyslog collect logs from different timezones

Question

Im using rsyslog on server to collect logs from remote hosts.

Collect server config:

# timedatectl
               Local time: Wed 2022-04-27 16:02:43 MSK
           Universal time: Wed 2022-04-27 13:02:43 UTC
                 RTC time: n/a                        
                Time zone: Europe/Moscow (MSK, +0300) 
System clock synchronized: yes                        
              NTP service: inactive                   
          RTC in local TZ: no
# cat /etc/rsyslog.d/20_external.conf
$CreateDirs on
$PreserveFQDN on

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

template(
      name="external"
      type="string"
      string="/var/log/external/%HOSTNAME%/%syslogfacility-text%.%programname%.%syslogseverity-text%.log"
)

action(
      type="omfile"
      dirCreateMode="0775"
      FileCreateMode="0644"
      dynaFile="external"
)

On remote host

# timedatectl
               Local time: Wed 2022-04-27 13:04:03 UTC
           Universal time: Wed 2022-04-27 13:04:03 UTC
                 RTC time: n/a                        
                Time zone: UTC (UTC, +0000)           
System clock synchronized: yes                        
              NTP service: inactive                   
          RTC in local TZ: no
# cat /etc/rsyslog.d/10-external.conf 
*.* @rserver
# logger "hello, local time $(date)"

And get on rsyslogserver:

cat  /var/log/external/ruser.home.xmu/user.root.notice.log
2022-04-27T13:07:06+03:00 ruser.home.xmu root: hello, local time 2022-04-27T13:07:06 UTC
# date
2022-04-27T16:08:56 MSK

What i can do for change time zone settings for some remote hosts on collect-server?

When i reserch incedents from all servers the time does not match in logs. I want the time on the collector in the logs to be in his time zone.

2022-04-27T16:07:06+03:00 ruser.home.xmu root: hello, local time 2022-04-27T13:07:06 UTC

Answer 1

You can define the timezone in rsyslog on the client - which in my opinion is the cleaner solution.

In /etc/rsyslog.conf do the following:

Comment/remove the current template

# Use default timestamp format
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

Then add the timezone, as well as a custom log template:

timezone(id="MSK" offset="+03:00")

# Custom time format
$template myTemplate,"%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"
$ActionFileDefaultTemplate myTemplate

---

However, if you can't access the remote client which is sending the logs, it's possible to use the timestamp when the log was received on the server.

$template myTemplate,"%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"

ruleset(name="myRuleset"){
    $ActionFileDefaultTemplate myTemplate
    # Do some other stuff
}

module(load="imtcp")
input(type="imtcp" port="5000" ruleset="myRuleset")

module(load="imudp")
input(type="imudp" port="5000" ruleset="myRuleset")

---

NOTE: Don't forget to restart the rsyslog service after applying the changes.

sudo service rsyslog restart

---

EDIT:

Creating a template using the advanced syntax would look like the following:

template (name="myTemplate" type="string"
    string="%timegenerated% %HOSTNAME% %syslogtag%%msg%\n")

The string is the actual template of the messages that should be logged, not the destination to which the messages should be logged.