Configuring the Log Header and Timestamp

This section describes how to customize the log header and adjust the timestamp.

Context

The FW supports customizing the log header format of session logs in syslog format, packet discard logs, and port pre-allocation logs.

FWThe log headers of most logs output by the firewalls contain timestamps. For example, a session log contains the session creation time and end time. The FW supports customizing the timestamp in the syslog header and the timestamp of the session log in netflow format. The firewall processes timestamps in the session logs of different types as follows:

When the firewall outputs session logs in binary and dataflow formats, the timestamps in the logs are fixedly set to the Universal Time Coordinated (UTC) timestamps. Upon receiving the logs, the eLog modifies the timestamps in the logs based on the local time zone to ensure that the time of the logs is consistent with the local time. Then, it displays the log information on the web UI. In this way, the log receiving time (local time of the eLog) is consistent with the time contained in the logs when you view log information on the eLog.
When the firewall outputs system logs in syslog format and outputs session logs in netflow format, the timestamps in the log headers are set to UTC timestamps by default and can be adjusted to local timestamps.

If the logs output by the firewall use the UTC timestamps, the time of the logs is eight hours later than the UTC time when the eLog is located in a non-UTC time zone, for example, Beijing time zone. Therefore, in the log information on the eLog, there is an eight-hour deviation between the log receiving time (local time of the eLog) and the time contained in the logs, which affects the log information identification and management.

The following figure shows an example of the time deviation of the Port Range log checked on the eLog. The log receiving time is eight hours later than the mapping time.

In this case, you can adjust, on the firewall, the timestamps in the Port Range log to local timestamps instead of UTC timestamps. In this way, there is no deviation between the log receiving time and the log generation time in the log information displayed on the eLog.

Procedure

**Table 1** Log header and timestamp settings
Log Type	Command	Description
Session log in syslog format Packet discard log in syslog format Port pre-allocation log in syslog format	firewall log syslog header { default [ timestamp { utc \| local \| none } ] \| host-name \| none }	This command sets the log header and timestamp. If host-name is specified, the log header contains only the device name. If none is specified, the output log does not contain the log header information. The default parameter can be specified to adjust the timestamp. The timestamp is a part of the log header. By default, the timestamp in the log header is the UTC time. NOTE: When you customize a session log in syslog format through an expression, the function of adjusting the log header is not supported. By default, the default log header format is used.
Session log in netflow format	firewall log netflow header default timestamp { utc \| local }	By default, the timestamp in the log headers is the UTC time.
System log in syslog format	info-center loghost ip-address local-time	By default, the timestamp in the log headers is the UTC time.