Preserve timestamps across time zones
NXLog Agent outputs timestamps in local time by default. However, you can change this behavior to normalize timestamps to UTC. To do so, you must consider both how you parse timestamps on collection as well as how you output timestamps.
Below, we provide several examples of generating UTC timestamps with NXLog Agent. In these examples, we execute the configurations on a machine with the timezone set to UTC+1.
Parsing timestamps without timezone information
The parsedate() function treats timestamps that do not contain timezone information as local time by default.
However, the function also accepts a second boolean argument, utc.
When this argument is TRUE
, the function treats timestamps without timezone information as UTC.
The following log sample contains a timestamp without a UTC offset.
2024-02-22T20:14:15.003 SERVER-1 An account failed to log on.
This configuration reads logs from a file and parses records to structured data with a regular expression.
It then uses the parsedate() function to parse the captured string and set the $EventTime
field.
Finally, it converts the log record to JSON for demonstration purposes.
<Extension json>
Module xm_json
DateFormat YYYY-MM-DDThh:mm:ss.sUTC (1)
</Extension>
<Input auth_events>
Module im_file
File '/path/to/log/file'
<Exec>
if $raw_event =~ /^(.+)\t(.+)\t(.+)/
{
$EventTime = parsedate($1, TRUE); (2)
$Hostname = $2;
$Message = $3;
to_json(); (3)
}
</Exec>
</Input>
1 | The DateFormat directive specifies the output date format when using xm_json's functions and procedures. |
2 | Calls the parsedate() function with the utc argument set to TRUE .
This argument specifies that if the timestamp does not contain timezone information, the function should treat it as UTC. |
3 | The to_json() procedure of the xm_json module converts the log record to JSON format and sets the $raw_event field. |
The following JSON object shows the same log record after NXLog Agent processed it.
{
"EventReceivedTime": "2024-02-22T20:16:04.573668Z",
"SourceModuleName": "auth_events",
"SourceModuleType": "im_file",
"Hostname": "SERVER-1",
"EventTime": "2024-02-22T20:14:15.003000Z",
"Message": "An account failed to log on."
}
Since JSON does not contain a datetime type, the string type is commonly used for timestamps in JSON logs. By default, the xm_json module attempts to parse strings that begin with four digits as datetime and will treat timestamps without a UTC offset as local time. You can change this behavior with the ParseDate directive.
The following JSON log sample contains a timestamp without a UTC offset.
{
"EventTime": "2024-02-22T20:14:15.003",
"Hostname": "SERVER-1",
"Message": "An account failed to log on."
}
This configuration reads logs from a file and parses records to structured data with the parse_json() procedure of the xm_json module. It then uses the parsedate() function to convert the captured timestamp string to datetime. Finally, it converts the log record back to JSON for demonstration purposes.
<Extension json>
Module xm_json
ParseDate FALSE (1)
DateFormat YYYY-MM-DDThh:mm:ss.sUTC (2)
</Extension>
<Input auth_events>
Module im_file
File '/path/to/log/file'
<Exec>
parse_json();
$EventTime = parsedate($EventTime, TRUE); (3)
to_json(); (4)
</Exec>
</Input>
1 | Sets the ParseDate directive to FALSE to switch off automatic date parsing. |
2 | The DateFormat directive specifies the output date format when using xm_json's functions and procedures. |
3 | Calls the parsedate() function with the utc argument set to TRUE .
This argument specifies that if the timestamp does not contain timezone information, the function should treat it as UTC. |
4 | The to_json() procedure of the xm_json module converts the log record to JSON format and sets the $raw_event field. |
The following JSON object shows the same log record after NXLog Agent processed it.
{
"EventReceivedTime": "2024-02-22T20:16:04.573668Z",
"SourceModuleName": "auth_events",
"SourceModuleType": "im_file",
"Hostname": "SERVER-1",
"EventTime": "2024-02-22T19:14:15.003000Z",
"Message": "An account failed to log on."
}
Generating timestamps in UTC
Converting a datetime value to a string depends on the function, procedure, and module you use. The global DateFormat directive applies to most functions and procedures. However, modules like xm_json and xm_syslog handle datetime values differently.
The examples below demonstrate how to output dates in UTC when generating CSV, JSON, and syslog formats.
The global DateFormat directive also applies to the timestamp format in the NXLog Agent LogFile.
|
The following log sample contains a timestamp without a UTC offset.
2024-02-22T20:14:15.003 SERVER-1 An account failed to log on.
This configuration reads logs from a file and parses records to structured data with a regular expression.
It then uses the parsedate() function to parse the captured string and set the $EventTime
field.
Unless the event time contains timezone information, this function treats the timestamp as local time.
Finally, it converts the log record to CSV for demonstration purposes.
DateFormat YYYY-MM-DDThh:mm:ss.sUTC (1)
<Extension csv>
Module xm_csv
Fields $EventTime, $Hostname, $Message
</Extension>
<Input auth_events>
Module im_file
File '/path/to/log/file'
<Exec>
if $raw_event =~ /^(.+)\t(.+)\t(.+)/
{
$EventTime = parsedate($1);
$Hostname = $2;
$Message = $3;
to_csv(); (2)
}
</Exec>
</Input>
1 | The DateFormat directive specifies the output date format. |
2 | The to_csv() procedure of the xm_csv module converts the log record to CSV and sets the $raw_event field. |
The following output shows the same log record after NXLog Agent processed it. These timestamp variations would produce the same output:
-
2024-02-22T21:14:15.003+02:00
-
2024-02-22T19:14:15.003Z
2024-02-22T19:14:15.003000Z,"SERVER-1","An account failed to log on."
The following log sample contains a timestamp without a UTC offset.
2024-02-22T20:14:15.003 SERVER-1 An account failed to log on.
This configuration reads logs from a file and parses records to structured data with a regular expression.
It then uses the parsedate() function to parse the captured string and set the $EventTime
field.
Unless the event time contains timezone information, this function treats the timestamp as local time.
Finally, it converts the log record to JSON format.
<Extension json>
Module xm_json
DateFormat YYYY-MM-DDThh:mm:ss.sUTC (1)
</Extension>
<Input auth_events>
Module im_file
File '/path/to/log/file'
<Exec>
if $raw_event =~ /^(.+)\t(.+)\t(.+)/
{
$EventTime = parsedate($1);
$Hostname = $2;
$Message = $3;
to_json(); (2)
}
</Exec>
</Input>
1 | Sets the DateFormat directive of the xm_json module instance to an ISO 8601 date format with the UTC suffix. |
2 | The to_json() procedure of the xm_json module converts the log record to JSON and sets the $raw_event field. |
The following JSON object shows the same log record after NXLog Agent processed it.
{
"EventReceivedTime": "2024-02-22T20:16:04.573668Z",
"SourceModuleName": "auth_events",
"SourceModuleType": "im_file",
"Hostname": "SERVER-1",
"EventTime": "2024-02-22T19:14:15.003000Z",
"Message": "An account failed to log on."
}
The following log sample contains a timestamp without a UTC offset.
2024-02-22T20:14:15.003 SERVER-1 An account failed to log on.
This configuration reads logs from a file and parses records to structured data with a regular expression.
It then uses the parsedate() function to parse the captured string and set the $EventTime
field.
Unless the event time contains timezone information, this function treats the timestamp as local time.
Finally, it converts the log record to BSD syslog.
<Extension syslog>
Module xm_syslog
UTCTimestamp TRUE (1)
</Extension>
<Input auth_events>
Module im_file
File '/path/to/log/file'
<Exec>
if $raw_event =~ /^(.+)\t(.+)\t(.+)/
{
$EventTime = parsedate($1);
$Hostname = $2;
$Message = $3;
to_syslog_bsd(); (2)
}
</Exec>
</Input>
1 | Sets the UTCTimestamp directive to TRUE to output timestamps in UTC. |
2 | The to_syslog_bsd() procedure of the xm_syslog module converts the log record to syslog and sets the $raw_event field. |
The following output shows the same log record after NXLog Agent processed it.
<13>Feb 22 19:14:15 SERVER-1 An account failed to log on.
The following log sample contains a timestamp without a UTC offset.
2024-02-22T20:14:15.003 SERVER-1 An account failed to log on.
This configuration reads logs from a file and parses records to structured data with a regular expression.
It then uses the parsedate() function to parse the captured string and set the $EventTime
field.
Unless the event time contains timezone information, this function treats the timestamp as local time.
Finally, it converts the log record to CSV for demonstration purposes.
<Extension csv>
Module xm_csv
Fields $EventTime, $UTCTimestamp, $Hostname, $Message
</Extension>
<Input auth_events>
Module im_file
File '/path/to/log/file'
<Exec>
if $raw_event =~ /^(.+)\t(.+)\t(.+)/
{
$EventTime = parsedate($1);
$UTCTimestamp = integer($EventTime); (1)
$Hostname = $2;
$Message = $3;
to_csv(); (2)
}
</Exec>
</Input>
1 | The integer() function converts a datetime to a UTC timestamp in the Unix time format. |
2 | The to_csv() procedure of the xm_csv module converts the log record to CSV and sets the $raw_event field. |
The following output shows the same log record after NXLog Agent processed it.
2024-02-22 20:14:15,1708629255003000,"SERVER-1","An account failed to log on."
Configure global timestamp settings
NXLog Agent uses then`YYYY-MM-DD hh:mm:ss` date and time format by default and provides the following global directives to parse and generate timestamps in UTC:
-
ParseDateInUTC is equivalent to using
parsedate(arg, TRUE)
to parse timestamps without timezone information as UTC. -
GenerateDateInUTC is equivalent to specifying
DateFormat YYYY-MM-DD hh:mm:ssUTC
to output timestamps in UTC.
The following log record contains a timestamp without a timezone offset.
2024-02-22T20:14:15.003 SERVER-1 An account failed to log on.
This configuration sets the ParseDateInUTC
and GenerateDateInUTC
global directives to TRUE
.
It reads logs from a file and parses records to structured data with a regular expression.
It then uses the parsedate() function to parse the captured string and set the $EventTime
field.
Unless the event time contains timezone information, this function will treat timestamps as UTC according to the ParseDateInUTC
directive.
Finally, it converts the log record to CSV for demonstration purposes.
GenerateDateInUTC TRUE
ParseDateInUTC TRUE
<Extension csv>
Module xm_csv
Fields $EventTime, $Hostname, $Message
</Extension>
<Input auth_events>
Module im_file
File '/path/to/log/file'
<Exec>
if $raw_event =~ /^(.+)\t(.+)\t(.+)/
{
$EventTime = parsedate($1);
$Hostname = $2;
$Message = $3;
to_csv(); (1)
}
</Exec>
</Input>
1 | The to_csv() procedure of the xm_csv module converts the log record to CSV and sets the $raw_event field.
It will output timestamps without timezone information in UTC according to the GenerateDateInUTC directive. |
The following output shows the same log record after NXLog Agent processed it. These timestamp variations would produce the same output:
-
2024-02-22 21:14:15+01:00
-
2024-02-22 20:14:15Z
2024-02-22 20:14:15,"SERVER-1","An account failed to log on."
The configuration above does not apply when parsing logs with the parse_json()
procedure.
The next example demonstrates using the ParseDateInUTC
global directive when parsing JSON logs.
The following is a log record containing a timestamp without a timezone offset. In this example, we used this sample as input data and executed the configuration on a machine with the timezone set to UTC+2.
{
"EventTime": "2024-02-22T20:14:15",
"Hostname": "SERVER-1",
"Message": "An account failed to log on."
}
This configuration sets the ParseDateInUTC
and GenerateDateInUTC
global directives to TRUE
.
It reads logs from a file and parses records to structured data with the parse_json() procedure of the xm_json module.
It then uses the parsedate() function to parse the captured string and set the $EventTime
field.
Unless the event time contains timezone information, this function will treat timestamps as UTC according to the ParseDateInUTC
directive.
Finally, it converts the log record to CSV for demonstration purposes.
GenerateDateInUTC TRUE
ParseDateInUTC TRUE
<Extension json>
Module xm_json
ParseDate FALSE (1)
</Extension>
<Extension csv>
Module xm_csv
Fields $EventTime, $Hostname, $Message
</Extension>
<Input auth_events>
Module im_file
File '/path/to/log/file'
<Exec>
parse_json();
$EventTime = parsedate($EventTime);
to_csv(); (2)
</Exec>
</Input>
1 | Sets the ParseDate directive to FALSE to switch off automatic date parsing. |
2 | The to_csv() procedure of the xm_csv module converts the log record to CSV and sets the $raw_event field.
It will output timestamps without timezone information in UTC according to the GenerateDateInUTC directive. |
The following output shows the same log record after NXLog Agent processed it. These timestamp variations would produce the same output:
-
2021-09-22 17:14:15+02:00
-
2021-09-22 15:14:15Z
2024-02-22 20:14:15,"SERVER-1","An account failed to log on."
GenerateDateInUTC does not apply when creating JSON output with the to_json() procedure or function.
Use the xm_json DateFormat directive instead.
See Generating JSON logs with UTC timestamps above.
|