A typical entry in WinSyslog’s log file looks as follows:
2001-02-15,17:09:35,192.168.2.1,23,5,74: *Mar 3 17:51:09.270 Central: > %SYS-5-CONFIG_I: Configured from console by vty0
As you can see, there are two timestamps in it. The first time stamp is generated by WinSyslog as the message arrives. The second one is generated by the syslog sender. Usually, these timestamps are very close. However, there might be some syslog devices that send messages deferred. In this case, the first timestamp gives you an idea when the message arrived, but the second has the actual time of the event (well, in fact it is a bit ahead of the current time).
Also, please note that the second time stamp is generated by the device sending the syslog message, NOT WinSyslog. There is a great variety of syslog enabled devices and we do not have any control over how they format there message. Some of them might even include NO timestamp at all. In this case, the WinSyslog generated stamp is a life-saver.
As you can see in the example above, the device obviously has wrong date and time information. WinSyslog here provides a clue to when it really happened.