The rocket-fast system for log processing

What is the difference between timereported and timegenerated?

Each message that is received by rsyslog is usually available with two timestamps. They can be accessed by using the properties "timereported" and "timegenerated".

"timegenerated" is always the time when rsyslog generated the message object on the local machine. That actually means it is the time when the message was received (either via the oscall layer or on some inputs based on information the OS provides).

"timereported" is what the sending device reports as time. This is taken from the appropriate syslog header field. If and only if the syslog date header cannot properly be parsed, "timereported" is populated with the same value as "timegenerated".

Assuming that all systems in a relay chain use valid syslog format, "timereported" will be the same on all relay machines, whereas "timegenerated" reflects the local time of message reception and thus is different on each relay machine.

Please keep in mind the mentioned difference between both properties. It is well known, that the property name for "timegenerated" might be a bit confusing. As such, "timereceived" would probably be a better name, but changing it is not possible without breaking existing deplyoments.