Promtail: scraping previous year log that has no year information (e.g. syslog)

coresystemdco · December 5, 2022, 1:05pm

Hi, in this doc, it says that

If the custom format has no year component specified, Promtail will assume that the current year according to the system’s clock should be used.

given this line of log

Dec  31 23:59:59 node-1 systemd[1]: Started Session 189640 of User ubuntu.

if the above line of log is scrapped at at 2023-01-01 00:00:09, will the timestamp become 2023-12-31 23:59:59 since promtail use the current year or 2022-12-31 23:59:59 since the current time is less than 2023-12-31 23:59:59

yosiasz · December 5, 2022, 3:26pm

Could you do a dry run and see what it does

Is this a one time thing or are you concerned about log files at end of year only?

coresystemdco · December 6, 2022, 2:06am

Could you do a dry run and see what it does

sadly it will use the current year even though the current time has not reach the generated date & time.

Is this a one time thing or are you concerned about log files at end of year only?

My concern is the log files at end of year, because if it gets parsed the current way and sent to loki, i will not be able to ship 1 whole year of log on the next year since it will be counted as out-of-order

yosiasz · December 6, 2022, 2:11am

next step is why is the year not there. can you do some processing to add the year?

coresystemdco · December 6, 2022, 2:14am

i thinks its the default format you get from linux distros. I observed that /var/log/{syslog,cron,auth.log,…} are using this kind of format.

yosiasz · December 6, 2022, 2:23am

really? That is so odd. Is it due to a logging config? THat sounds most unusual

coresystemdco · December 6, 2022, 2:25am

yes, i got two vm and both use that timestamp, the syslog is using rfc-3164

yosiasz · December 6, 2022, 2:27am

There must something you can reconfigure to make it capture year. Maybe others will chime in to support you

coresystemdco · December 6, 2022, 2:30am

noted. thanks @yosiasz