On Wed, 2011-12-21 at 13:44 +0100, Balazs Scheidler wrote:
On Fri, 2011-12-02 at 23:20 +0100, Gergely Nagy wrote:
Evan Rempel <erempel@uvic.ca> writes:
When parsing a source that has a month and day but no year, the S_YEAR macro does not default to R_YEAR. It seems to be defaulting to R_YEAR+1
What is the intention when there is no year in the source?
This sounds interesting. A quick look at the code didn't reveal anything obviously wrong. I'll see what I can do about it, since reproduction seems easy enough (and then it's just a little bit of gdb-magic away to spot the error).
Thanks for the report!
If there's no year in the incoming timestamp, syslog-ng applies a heuristics to determine the actual year. This heuristics assumes that the incoming message was generated quite close to the current system time.
Here's the algorithm (quoting the source):
/* detect if the message is coming from last year. If its * month is at least one larger than the current month. This * handles both clocks that are in the future, or in the * past: * in January we receive a message from December (past) => last year * in January we receive a message from February (future) => same year * in December we receive a message from January (future) => next year */ if (tm.tm_mon > nowtm.tm_mon + 1) tm.tm_year--; if (tm.tm_mon < nowtm.tm_mon - 1) tm.tm_year++;
BTW: if you want to process historical data, please use a complete timestamp that includes year information. syslog-ng is certainly capable of doing that, but as far as I know rsyslog can do that too. -- Bazsi