From f0d4adc53dcffe70d70ed41df41b14af44f880fb Mon Sep 17 00:00:00 2001 From: Chance Zibolski Date: Wed, 11 Nov 2020 12:51:47 -0800 Subject: [PATCH] promtail: Add support for using syslog message timestamp (#2914) Currently promtail sets the timestamp of incoming syslog messages to the time it was received by promtail. In some cases, it is preferable to use the source timestamp instead. This adds a new `use_message_timestamp` option to the syslog target config, which allows users to opt-in to the behavior of using the timestamp on the message, if one exists. --- docs/sources/clients/promtail/configuration.md | 5 +++++ pkg/promtail/scrapeconfig/scrapeconfig.go | 4 ++++ pkg/promtail/targets/syslog/syslogtarget.go | 15 +++++++++++---- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/docs/sources/clients/promtail/configuration.md b/docs/sources/clients/promtail/configuration.md index 33dcc4a962822..9dfe60a2effe7 100644 --- a/docs/sources/clients/promtail/configuration.md +++ b/docs/sources/clients/promtail/configuration.md @@ -765,6 +765,11 @@ label_structured_data: # Label map to add to every log message. labels: [ : ... ] + +# Whether promtail should pass on the timestamp from the incoming syslog message. +# When false, or if no timestamp is present on the syslog message, Promtail will assign the current timestamp to the log when it was processed. +# Default is false +use_incoming_timestamp: ``` #### Available Labels diff --git a/pkg/promtail/scrapeconfig/scrapeconfig.go b/pkg/promtail/scrapeconfig/scrapeconfig.go index aa7d2301795ae..bef131b7d5ed8 100644 --- a/pkg/promtail/scrapeconfig/scrapeconfig.go +++ b/pkg/promtail/scrapeconfig/scrapeconfig.go @@ -158,6 +158,10 @@ type SyslogTargetConfig struct { // Labels optionally holds labels to associate with each record read from syslog. Labels model.LabelSet `yaml:"labels"` + + // UseIncomingTimestamp sets the timestamp to the incoming syslog mesages + // timestamp if it's set. + UseIncomingTimestamp bool `yaml:"use_incoming_timestamp"` } // PushTargetConfig describes a scrape config that listens for Loki push messages. diff --git a/pkg/promtail/targets/syslog/syslogtarget.go b/pkg/promtail/targets/syslog/syslogtarget.go index 27eccee8f4df5..501c3aa67a863 100644 --- a/pkg/promtail/targets/syslog/syslogtarget.go +++ b/pkg/promtail/targets/syslog/syslogtarget.go @@ -64,8 +64,9 @@ type SyslogTarget struct { } type message struct { - labels model.LabelSet - message string + labels model.LabelSet + message string + timestamp time.Time } // NewSyslogTarget configures a new SyslogTarget. @@ -231,12 +232,18 @@ func (t *SyslogTarget) handleMessage(connLabels labels.Labels, msg syslog.Messag filtered[model.LabelName(lbl.Name)] = model.LabelValue(lbl.Value) } - t.messages <- message{filtered, *rfc5424Msg.Message} + var timestamp time.Time + if t.config.UseIncomingTimestamp && rfc5424Msg.Timestamp != nil { + timestamp = *rfc5424Msg.Timestamp + } else { + timestamp = time.Now() + } + t.messages <- message{filtered, *rfc5424Msg.Message, timestamp} } func (t *SyslogTarget) messageSender() { for msg := range t.messages { - if err := t.handler.Handle(msg.labels, time.Now(), msg.message); err != nil { + if err := t.handler.Handle(msg.labels, msg.timestamp, msg.message); err != nil { level.Error(t.logger).Log("msg", "error handling line", "error", err) } syslogEntries.Inc()