And in addition, the timestamp of the message does not contain a year, there's a heuristic in syslog-ng to determine that.
Here's the heuristic used:
tm.tm_year = nowtm.tm_year; if (tm.tm_mon > nowtm.tm_mon) tm.tm_year--;
E.g. if the current month is smaller than the month in the timestamp, syslog-ng assumes that it comes from the previous year. Hmm... Maybe this heuristic would be better:
tm.tm_year = nowtm.tm_year; if (tm.tm_mon == 11 && nowtm.tm_mon == 0) tm.tm_year--;
E.g. the year is decreased only if the receiver's time is in January, and the sender came in as December. This would not handle really
skewed
timestamps, but your case would be covered.
I'm reluctant to change this in 2.0 (the current algorithm has been in place for about a decade now), however I can commit a patch to 2.1. What do others think?
And a side-note: the best solution is to use a timestamp that actually includes the year information, like ISODATE.
How can I set ISODATE? NOTICE: This email contains privileged and confidential information and is intended only for the individual to whom it is addressed. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this transmission by mistake and delete this communication from your system. E-mail transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. AVIS: Le pr�sent courriel contient des renseignements de nature privil�gi�e et confidentielle et n�est destin� qu'� la personne � qui il est adress�. Si vous n��tes pas le destinataire pr�vu, vous �tes par les pr�sentes avis�s que toute diffusion, distribution ou reproduction de cette communication est strictement interdite.� Si vous avez re�u ce courriel par erreur, veuillez en aviser imm�diatement l�exp�diteur et le supprimer de votre syst�me. Notez que la transmission de courriel ne peut en aucun cas �tre consid�r� comme inviolable ou exempt d�erreur puisque les informations qu�il contient pourraient �tre intercept�s, corrompues, perdues, d�truites, arriv�es en retard ou incompl�tes ou contenir un virus. �