I am collecting syslog using syslog-ng. the events collected in the file are showing GMT.
When I setup a file monitor for the events they are indexed in the future.
What is the best way to handle this using the sourcetype=syslog?
in your syslog sourcetype stanza in the props.conf, add:
TZ = UTC
If you don't have one in your local/props.conf, they just add:
[syslog] TZ = UTC
Then restart the indexer.
View solution in original post
Yes. If you need it only for a certain source, use your syslog config to break that out to a separate file or directory tree. Then set up a new source to set the TZ on that source only.
thanks I am in a distributed environment and I cant (am not allowed to) restart the indexers during working hours.
Also wont this change the timestamp for all syslog not just my new one?
