If you remember reason 9 from my 12 reasons why you should use the Log Insight agent post then you may be wondering how you can support time deltas greater than 10 minutes between the client and the server. In this post, I will cover how to do it.
Background
For security reasons, the Log Insight ingestion API only listens to the supplied client timestamp if the timestamp is within 10 minutes of the Log Insight server time. While this default behavior makes sense, there are use-cases where using the client timestamp is desired even though it greatly varies from the Log Insight server time.
Workaround
WARNING: The following is not officially supported. Proceed at your own risk.
While the UI does not offer a way to override the default client timestamp behavior, you can from the CLI. To do this, you need to create a new — actually updated — configuration on the master node and then restart each node starting with the master. The only information you need is the configuration section to override the setting. The configuration is as follows:
<api-server> <trust-client-timestamp value="true" /> <max-tolerated-client-time-drift value="9223372036854775807" /> </api-server>
The actual steps would be (be sure to read the comment below):
PROJECTS=/storage/core/loginsight/config
CONFIG=$(ls $PROJECTS/loginsight-config.xml* | sort -k1.55n | tail -n 1)
NUM=$(echo $CONFIG | awk '{split($0,a,"#"); print a[2]}')
cp $CONFIG temp.xml
# change the below ports as desired
sed -i '/<\/config>/i \
<api-server> \
<trust-client-timestamp value="true" \/> \
<max-tolerated-client-time-drift value="9223372036854775807" \/> \
<\/api-server>
<\/config>' temp.xml
mv temp.xml $PROJECTS/loginsight-config.xml#$NUM
service loginsight restart
# you must restart the LI service on all the workers as well
<restart_workers>
© 2015, Steve Flanders. All rights reserved.
