On Wed, 2008-04-09 at 13:02 +0100, G.W. Haywood wrote:
Hi there,
On Wed, 9 Apr 2008 Balazs Scheidler wrote:
...the timestamp of the message does not contain a year, there's a heuristic in syslog-ng to determine that. ... I'm reluctant to change this in 2.0 (the current algorithm has been in place for about a decade now), however I can commit a patch to 2.1. What do others think?
If you do, please make it optional, disabled by default. It could be enabled by a command-line switch or by the configuration file options.
If I did that, there'd be no point in adding it in the first place. If I changed everything in the way you describe there would be no end of switches command line or otherwise that would control knobs inside syslog-ng here and there. And I doubt users could make an educated guess on how to set syslog-ng up. It seems that the current heuristics is wrong whenever the time on the client machine is in the future compared to the receiving end. I was wrong about the "decade" old estimate, in syslog-ng 1.6.x this was changed a couple of years back to: tm.tm_year = nowtm->tm_year; if (tm.tm_mon > nowtm->tm_mon + 1) tm.tm_year--; E.g. it requires _at least_ two months difference in order to assume that the timestamps is in the past year. It was changed here: 2001-06-11 Balazs Scheidler <bazsi@balabit.hu> * src/log.c (parse_log_msg): fixed year recognition logic (reported by <dj AT gregor.com> This algorithm above is less intrusive to the one that I suggested in my previous post, and as it seems has been tested in production for 5-6 years in syslog-ng 1.6.x Based on this I'm thinking about committing the same to both 2.0 and 2.1. Any other comments? -- Bazsi