High precision timestamps
I'm looking at ways to get high precision (with fractions of seconds) timestamps out of nxlog. If application provides these, it's of course easy to get this data into nxlog, but it's not easy to get it out - strftime function you can format timestamps with doesn't support fractions of seconds. Am I right?
It's even more problematic if application doesn't provide high precision timestamps - which is the case with most of unix programs using im_uds or all data from im_kernel for example. Even EventReceivedTime timestamp used in case of IETF syslog format isn't high precision.
Now, before anyone says that these wouldn't very precise timestamps anyway - that's not what I really care about. But as in the path to the log analysis events can be reordered (with redundant message brokers and stuff), it is critical to have high precision timestamps so correct order of the messages can be restored.
Ideally I'd like to use BSD syslog with high precision timestamps, but in any way it seems to be impossible at the moment. Or am I overlooking something?
strftime() does not provide a way to output the fractional part because this is missing from the underlying C function call and the POSIX API.
Internally all datetime fields store a microsecond precision value (e.g. EventTime, EventReceivedTime, etc). Unfortunately due to the above limitations of strftime() it's not easy to convert this to a human readable form. A solution you might consider - this is what some people use - is to convert it into an integer value:
Exec $EventTime = integer($EventTime);
Adding another formatter function that should properly support timezones and fractional parts is on the roadmap.
BSD syslog can't have fractional seconds as it would break the standard. The newer IETF syslog already has that.