On Wed, 2008-04-09 at 09:20 -0400, Jean-Sebastien Pilon wrote:
And in addition, the timestamp of the message does not contain a year, there's a heuristic in syslog-ng to determine that.
Here's the heuristic used:
tm.tm_year = nowtm.tm_year; if (tm.tm_mon > nowtm.tm_mon) tm.tm_year--;
E.g. if the current month is smaller than the month in the timestamp, syslog-ng assumes that it comes from the previous year. Hmm... Maybe this heuristic would be better:
tm.tm_year = nowtm.tm_year; if (tm.tm_mon == 11 && nowtm.tm_mon == 0) tm.tm_year--;
E.g. the year is decreased only if the receiver's time is in January, and the sender came in as December. This would not handle really
skewed
timestamps, but your case would be covered.
I'm reluctant to change this in 2.0 (the current algorithm has been in place for about a decade now), however I can commit a patch to 2.1. What do others think?
And a side-note: the best solution is to use a timestamp that actually includes the year information, like ISODATE.
How can I set ISODATE?
You should use a template to override the format that syslog-ng uses by default, like: destination d1 { tcp("host" template("<$PRI>$ISODATE $HOST $MSG\n"); }; On the client. On the server no changes are necessary it will autodetect the timestamp as received from the network. -- Bazsi