search

datalust / seq-input-gelf

Ingest GELF payloads into Seq
https://datalust.co/seq
Apache License 2.0
15 stars 8 forks source link

select another timestamp key #112

Closed yanzixiang closed 3 months ago

yanzixiang commented 2 years ago

i use gelflib send the log from systemd-journald to seq-input-gelf

the systemd-journal use this entry __REALTIME_TIMESTAMP it is in microseconds since the epoch UTC, but gelflib's setTime setTime function just use time_t which is in s

so my log shown in seq events are like this image

after i change the timestamp key in gelflib to a double value, my log shown in seq events are like this image and cause seq-input-gelf stop to run image

so i want to send to ms_timestamp to another key, and select that key as defalut timestamp column.

KodrAus commented 2 years ago

Sorry for the slow reply here @yanzixiang!

GELF requires the timestamp to be seconds since the epoch, with millisecond precision following a decimal point. It looks like maybe you're ending up with that microseconds-since-epoch value in your GELF message, which is then overflowing in this server because it's trying to treat them as seconds.

We definitely shouldn't ever panic on any input, so I've opened #113 to not overflow when encountering very large timestamp values.

This library doesn't do a lot of transformation itself, but one option you could consider if you want more control over how those journald events are emitted is using a log processing pipeline like Fluent Bit, which has a Systemd input, and can output directly to Seq with very little configuration.

yanzixiang commented 2 years ago

GELF requires the timestamp to be seconds since the epoch, with millisecond precision following a decimal point. It looks like maybe you're ending up with that microseconds-since-epoch value in your GELF message, which is then overflowing in this server because it's trying to treat them as seconds.

so, the timestamp should be string "1665628250.123" ? i have try this string, but it fails too...

This library doesn't do a lot of transformation itself, but one option you could consider if you want more control over how those journald events are emitted is using a log processing pipeline like Fluent Bit, which has a Systemd input, and can output directly to Seq with very little configuration.

my device and the seq server is not always connected, i want to sync all systemd's log entrys to seq, so i thinks i can NOT use Fluent Bit to do this.

KodrAus commented 3 months ago

Just coming back through some triage here. We're going to keep this library focused on the GELF format as specified. In order for events to be ingested correctly, they need to be compliant with the GELF spec and use its seconds since the epoch format.

Thanks again for the original report.