Adjust timestamps

Sometimes, log events may have an incorrect or incomplete timestamp. For example, BSD syslog messages do not include the year or timezone information, and some network devices may have the wrong time immediately after a reboot.

Below, we provide examples of adjusting timestamps with NXLog Agent.

Replace the original timestamp

A simple solution for fixing dubious timestamps is to replace them with the time when NXLog Agent received the event. This option is most suitable when the log source sends events to NXLog Agent in real time.

Example 1. Replacing the timestamp with the event ingestion time

The following is a standard BSD syslog message.

Input sample
<30>Feb 19 11:40:27 SERVER-1 sshd[26459]: Accepted publickey for john from 192.168.1.1 port 41193 ssh2

This configuration listens for syslog messages over UDP and parses them into structured data using the parse_syslog() procedure of the xm_syslog module. This procedure populates the $EventTime field with the syslog message timestamp.

It then replaces the $EventTime with the value of the $EventReceivedTime core field. Finally, it converts the log record to JSON for demonstration purposes.

nxlog.conf
<Extension syslog>
    Module    xm_syslog
</Extension>

<Extension json>
    Module    xm_json
</Extension>

<Input udp_listen>
    Module    im_udp
    <Exec>
        parse_syslog();
        $EventTime = $EventReceivedTime;
        to_json();
    </Exec>
</Input>

The following JSON object shows the same log record after NXLog Agent processed it. The to_json() procedure transforms timestamps into local time by default.

Output sample
{
  "EventReceivedTime":"2024-02-19T12:41:14.849544+02:00",
  "SourceModuleName":"udp_listen",
  "SourceModuleType":"im_udp",
  "Hostname":"SERVER-1",
  "SyslogFacilityValue":3,
  "SyslogFacility":"DAEMON",
  "SyslogSeverityValue":6,
  "SyslogSeverity":"INFO",
  "SeverityValue":2,
  "Severity":"INFO",
  "EventTime":"2024-02-19T12:41:14.849544+02:00",
  "SourceName":"sshd",
  "ProcessID":26459,
  "Message":"Accepted publickey for john from 192.168.1.1 port 41193 ssh2"
}

Reverse a timezone offset

In some edge cases, you may need to prevent a timestamp without timezone information from being parsed as local time. For example, when collecting BSD syslog messages with a UTC timestamp. In this case, you must either re-parse the timestamp or apply a corresponding reverse offset.

Example 2. Reversing an incorrect UTC offset

The following is a standard BSD syslog message. For this example, we assume the agent is installed on a machine with a UTC +01:00 timezone, but the event timestamp is in UTC.

Input sample
<30>Feb 19 11:40:27 SERVER-1 sshd[26459]: Accepted publickey for john from 192.168.1.1 port 41193 ssh2

This configuration collects syslog messages from a file and parses them into structured data using the parse_syslog() procedure of the xm_syslog module. This procedure populates the $EventTime field with the syslog message timestamp. However, it incorrectly assumes that the timestamp is in local time.

It then uses the parsedate() and strftime() functions to reverse the incorrect UTC offset. Doing this conversion in the input module instance is best to reduce the probability of an incorrect offset during the daylight saving time (DST) transition. Finally, it converts the log record to JSON for demonstration purposes.

nxlog.conf
<Extension syslog>
    Module    xm_syslog
</Extension>

<Extension json>
    Module    xm_json
</Extension>

<Input system_log>
    Module    im_file
    File      '/path/to/log/file'
    <Exec>
        parse_syslog(); (1)
        $EventTime = parsedate(strftime($EventTime, '%Y-%m-%d %H:%M:%SZ')); (2)
        to_json();
    </Exec>      
</Input>
1 The parse_syslog() procedure incorrectly assumes the timestamp is in local time and sets $EventTime to 2024-02-21T11:40:27+01:00.
2 This statement reverses the incorrect offset to convert the timestamp back to UTC.

The following JSON object shows the same log record after NXLog Agent processed it. The to_json() procedure transforms timestamps into local time by default.

Output sample
{
  "EventReceivedTime": "2024-02-19T12:41:26.679575+01:00",
  "SourceModuleName": "system_log",
  "SourceModuleType": "im_file",
  "Hostname": "SERVER-1",
  "SyslogFacilityValue": 3,
  "SyslogFacility": "DAEMON",
  "SyslogSeverityValue": 6,
  "SyslogSeverity": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventTime": "2024-02-19T12:40:27.000000+01:00",
  "SourceName": "sshd",
  "ProcessID": 26459,
  "Message": "Accepted publickey for john from 192.168.1.1 port 41193 ssh2"
}

Modify a timestamp

For general cases, you can use the plus (+) and minus (-) operators to add or subtract seconds from a timestamp.

This simple method may not be suitable for correcting a timezone that uses daylight saving time (DST) since the UTC offset depends on whether DST is in effect.

Example 3. Adjusting a datetime value

The following is a standard BSD syslog message.

Input sample
<30>Feb 19 11:40:27 SERVER-1 sshd[26459]: Accepted publickey for john from 192.168.1.1 port 41193 ssh2

This configuration collects syslog messages from a file and parses them into structured data using the parse_syslog() procedure of the xm_syslog module. This procedure populates the $EventTime field with the syslog message timestamp.

It then increases the timestamp by two hours. Finally, it converts the log record to JSON for demonstration purposes.

<Extension syslog>
    Module    xm_syslog
</Extension>

<Extension json>
    Module    xm_json
</Extension>

<Input system_log>
    Module    im_file
    File      '/path/to/log/file'
    <Exec>
        parse_syslog();
        $EventTime = $EventTime + (2 * 3600); (1)
        to_json();
    </Exec>      
</Input>
1 This statement adds 2 x 3600 seconds to the timestamp, i.e., 2 hours.

The following JSON object shows the same log record after NXLog Agent processed it. The to_json() procedure transforms timestamps into local time by default.

Output sample
{
  "EventReceivedTime": "2024-02-19T13:45:28.530945+01:00",
  "SourceModuleName": "system_log",
  "SourceModuleType": "im_file",
  "Hostname": "SERVER-1",
  "SyslogFacilityValue": 3,
  "SyslogFacility": "DAEMON",
  "SyslogSeverityValue": 6,
  "SyslogSeverity": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventTime": "2024-02-19T13:40:27.000000+01:00",
  "SourceName": "sshd",
  "ProcessID": 26459,
  "Message": "Accepted publickey for john from 192.168.1.1 port 41193 ssh2"
}