I'm running into an issue with SmartZone logging. After some digging, it appears that the SmartZone is storing events internally with UTC timestamps, but showing them in local time (EST, -5) from within the SmartZone web interface since that's the timezone set on the device. However, when the SmartZone ships those event logs off via syslog, it sends them with a UTC timestamp with no timezone information.
I'm trying to set up Graylog as a centralized logging solution, and it interprets unmarked timestamps as being in local time (appropriately, per ISO8601 and RFC5424). Therefore, it sees those syslog messages from the SmartZone as coming from 5 hours in the future.
So, for instance, the SmartZone sends "Feb 11 20:45:50", but it should send either "Feb 11 20:45:50Z" or "Feb 11 15:45:50-05:00". It looks like the current SmartZone implementation is maybe using the older syslog spec (RFC3164), which does not require any time zone information (but does allow for it). Has anyone else run into this issue? Is there a fix for it on the Ruckus side of things? Or can I file a feature request/bug report somewhere to have the SmartZone syslog use a more up-to-date, unambiguous time format?
Could you confirm what is the current software version running on your SmartZone?
As per my understanding, syslog export will always have UTC time stamp.
If you feel time format needs improvements, you may approach your regional RUCKUS system engineer or sales team and they should help you opening a feature request on your behalf.
I just looked into one of the syslog entry from a recent syslog file and found below time format (UTC), which looks good to me.
Thanks for your response. I can verify, it does appear to me that the syslog exports on vSZ 126.96.36.199. are definitely in UTC timezone. What's seem to be lacking in my syslog logs that is present in yours is the timezone stamp. If you don't mind sharing, what syslog software are you using as a repository for the logs?
The raw message being received by my syslog server are as follows (truncated, with sensitive info replaced by XXX):
<190>Feb 17 18:03:27 XXX-XXXXXXXX Core: @@209,clientRoaming,"apMac"="XXX","clientMac"="XXX","ssid"="XXX", (and so forth, with more key=value pairs)
Whereas the format within the event.log file downloaded from the sVZ is:
2022-02-17T18:03:27+00:00 127.0.33.213 hostapd: @@209,clientRoaming,"apMac"="XXXX","clientMac"="XXXX", (and so forth)
And the format from within the web interface is:
2022/02/17 13:18:27 <which is current local time in EST for the same messages from above> 209 Client roaming Informational (and so forth)
So, it looks like it's being internally stored in GMT with an ISO8601 formatted date, displayed in local local time within the interface, and shipped off over the network in GMT but without any timezone coding.
Assuming all this is not some weird glitch on my end, the procedure for filing a bug report/feature request is to contact our regional Ruckus engineer? How do I go about finding contact information for that person?
In case anyone else is having this problem, I've been told by Ruckus support that this is a known issue and that there is a patch to add time zone information to the SmartZone 5.2.2 syslog exporter. Unfortunately, the patch they provided me did not run on my system - they are investigating why.