If any of the latter two would be preferred, would you accept a pull request to add such an option to the image, and if so, what would your preferred way of configuring this be? EnvironmentÄocker host: Ubuntu 16.04 LTS / Docker 1.13.1 / Linux 4.4. They send data from hundreds or thousands of machines and systems to Logstash or Elasticsearch.
But any kernel upgrade of the Docker host would cause a restart and would require reapplication of this change.
Fortunately syslog runs really stable and did not crash or otherwise needed to be restarted. This is no real solution as I would have to re-do this step when restarting the syslog container. Without restarting the syslog process, the timestamps immediately start to arrive correctly in Elastic. I can docker exec into the running syslog container and run dpkg-reconfigure tzdata to set the container to CEST, too.
After some investigation I found that the issue stems from the docker host and all environment systems running on CEST (UTC+2), but the syslog-ng container has default timezone settings of UTC, so syslog assumes all the logs it gets with CEST values have to be converted when passing them on to elastic. This all works fine, except that all the timestamps have two hours deducted. I am using the syslog-ng image to aggregate syslog on my environment and forward it all into Elasticsearch for consumption by Kibana (also running in containers).