Description
A note for the community
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Use Cases
BSD syslog messages (rfc3164) include the timestamp field in the format "Mmm dd hh:mm:ss".
The messages do not include a timezone specification, but are supposed to be in the local timezone of the sending device.
However, the sending device may not be in the same timezone as the receiving vector agent.
Also, some devices implement this incorrectly and use UTC for this timestamp.
This creates a need to adjust the timestamp field to adjust the timezone interpretted.
Attempted Solutions
The below transform works, however it's not as convenient as a single line to specify the timezone in the source.
transforms:
timezone_remap:
type: remap
inputs:
- device-using-bsd-syslog-with-UTC-timestamp
source: |-
.timestamp = from_unix_timestamp!(to_unix_timestamp!(.timestamp) + 28800)
Proposal
- It would be helpful if the syslog source could include an optional configuration setting "timezone" that allows the user to specify what timezone the timestamp should be interpretted as.
Example:
sources:
device-using-bsd-syslog-with-UTC-timestamp:
type: syslog
address: 0.0.0.0:5144
mode: udp
timezone: UTC
- I also propose the same optional "timezone" parameter is also added to the parse_syslog vrl function.
parse_syslog(value: <string> , [timezone: <string> ])
:: <object> , <error>
References
#3234
#4710
https://datatracker.ietf.org/doc/html/rfc3164#section-4.1.2
https://vector.dev/docs/reference/configuration/sources/syslog/
https://vector.dev/docs/reference/vrl/functions/#parse_syslog
Version
vector 0.44.0 (x86_64-unknown-linux-gnu)