Log Insight Ingestion API: Always using the Client Timestamp

If you remember reason 9 from my 12 reasons why you should use the Log Insight agent post then you may be wondering how you can support time deltas greater than 10 minutes between the client and the server. In this post, I will cover how to do it.

li-agent

Background

For security reasons, the Log Insight ingestion API only listens to the supplied client timestamp if the timestamp is within 10 minutes of the Log Insight server time. While this default behavior makes sense, there are use-cases where using the client timestamp is desired even though it greatly varies from the Log Insight server time.

Workaround

WARNING: The following is not officially supported. Proceed at your own risk.

While the UI does not offer a way to override the default client timestamp behavior, you can from the CLI. To do this, you need to create a new — actually updated — configuration on the master node and then restart each node starting with the master. The only information you need is the configuration section to override the setting. The configuration is as follows:

The actual steps would be (be sure to read the comment below):

© 2015, Steve Flanders. All rights reserved.

Leave a Reply