[syslog-ng] syslog-ng logging with wrong year

Balazs Scheidler bazsi at balabit.hu
Wed Apr 9 21:38:11 CEST 2008 

On Wed, 2008-04-09 at 12:32 -0700, Evan Rempel wrote:
> Balazs Scheidler wrote:
> > On Wed, 2008-04-09 at 09:20 -0400, Jean-Sebastien Pilon wrote:
> >>> And in addition, the timestamp of the message does not contain a year,
> >>> there's a heuristic in syslog-ng to determine that.
> >>>
> >>> Here's the heuristic used:
> >>>
> >>>       tm.tm_year = nowtm.tm_year;
> >>>       if (tm.tm_mon > nowtm.tm_mon)
> >>>         tm.tm_year--;
> >>>
> >>> E.g. if the current month is smaller than the month in the timestamp,
> >>> syslog-ng assumes that it comes from the previous year. Hmm... Maybe
> >>> this heuristic would be better:
> >>>
> >>>       tm.tm_year = nowtm.tm_year;
> >>>       if (tm.tm_mon == 11 && nowtm.tm_mon == 0)
> >>>         tm.tm_year--;
> >>>
> >>> E.g. the year is decreased only if the receiver's time is in January,
> >>> and the sender came in as December. This would not handle really
> >> skewed
> >>> timestamps, but your case would be covered.
> >>>
> >>> I'm reluctant to change this in 2.0 (the current algorithm has been in
> >>> place for about a decade now), however I can commit a patch to 2.1.
> >> What
> >>> do others think?
> >>>
> >>> And a side-note: the best solution is to use a timestamp that actually
> >>> includes the year information, like ISODATE.
> >>
> >> How can I set ISODATE?
> > 
> > You should use a template to override the format that syslog-ng uses by
> > default, like:
> > 
> > destination d1 { tcp("host" template("<$PRI>$ISODATE $HOST $MSG\n"); };
> > 
> > On the client. On the server no changes are necessary it will autodetect
> > the timestamp as received from the network.
> 
> 
> Except that when I try to use the $ISODATE in the "on the wire" tcp connection
> in syslog-ng 2.0.8 (both ends) syslog-ng didn't parse the message correctly at all.
> It behaved just like there was no time or host in the message at all.
> 
> template accounting        { template("<030>$R_ISODATE $HOST dsmacct: UVIC_ADM1: $MSG\n"); template_escape(no); };
> 
> options {
>          sync(0);
>          log_fifo_size(100000);
>          use_fqdn(yes);
>          keep_hostname(no);
>          chain_hostnames(no);
>          time_reap(60);
>          time_reopen(5);
> };
> 
> I just switched to $R_DATE and all works. I assumed that the ISODATE was just not handled by syslog-ng
> on an incoming connection as it is well outside the RFC.

Hm... there's code for it in the message parsing, there are even unit
tests to test it. Let me see...

I've just checked it, it works just fine.

-- 
Bazsi

More information about the syslog-ng mailing list