PVE8 log timestamp format changed

[AlexKay]

Hi folks,
I use logcheck to sort out logs and mail only non common messages. Since update to PVE8 I noticed changed timestamps in several logfiles:

PVE7:

/var/log/syslog:
Jul  2 00:00:22 pve1 pveproxy[1228132]: worker exit
Jul  2 00:00:22 pve1 pveproxy[1279269]: worker 1228130 finished

PVE8:

/var/log/syslog:
2023-07-06T13:29:31.929626+02:00 pve1 postfix/smtpd[2766625]: connect from localhost.localdomain[127.0.0.1]
2023-07-06T13:29:31.929762+02:00 pve1 postfix/smtpd[2766625]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 quit=1 commands=2

This change affects several logfiles such as syslog, auth.log, cron.log, kern.log and many more.
Is this change introduced by Debian 12 / bookworm or changed by PVE8?

 

[Dunuin]

Did you install rsyslog on your own? As far as I understand, by default, syslog won't be used by PVE8/Bookworm any longer and systemd journal should be used instead.

 

[Stoiko Ivanov]

This change affects several logfiles such as syslog, auth.log, cron.log, kern.log and many more.
Is this change introduced by Debian 12 / bookworm or changed by PVE8?

Yes - with bookworm the rsyslog.conf changed and now logs in the (far more sensible) rfc3339 timestamp format. - The change comes from Debian - not from the PVE packages (which don't touch your syslog config)

You can change back to traditional format by adding:

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

in your rsyslog.conf (below the GLOBAL DIRECTIVES comment)

I assume Debian did the change now, since rsyslog is not installed by default anymore as @Dunuin correctly pointed out.

 

[AlexKay]

Thanks for your clarifications!
Maybe I still have rsyslog installed, because I migrated (apt distr-upgrade) from PVE6 to 7 and a couple of days ago to 8.
I will check if logcheck package relies on rsyslog or if it could also use systemd journal instead.
After that I can decide to adapt my custom rules to filter out non-relevant from email notifications.