Balazs Scheidler wrote:
On Wed, 2008-04-09 at 09:20 -0400, Jean-Sebastien Pilon wrote:
And in addition, the timestamp of the message does not contain a year, there's a heuristic in syslog-ng to determine that.
Here's the heuristic used:
tm.tm_year = nowtm.tm_year; if (tm.tm_mon > nowtm.tm_mon) tm.tm_year--;
E.g. if the current month is smaller than the month in the timestamp, syslog-ng assumes that it comes from the previous year. Hmm... Maybe this heuristic would be better:
tm.tm_year = nowtm.tm_year; if (tm.tm_mon == 11 && nowtm.tm_mon == 0) tm.tm_year--;
E.g. the year is decreased only if the receiver's time is in January, and the sender came in as December. This would not handle really skewed timestamps, but your case would be covered.
I'm reluctant to change this in 2.0 (the current algorithm has been in place for about a decade now), however I can commit a patch to 2.1. What do others think?
And a side-note: the best solution is to use a timestamp that actually includes the year information, like ISODATE.
How can I set ISODATE?
You should use a template to override the format that syslog-ng uses by default, like:
destination d1 { tcp("host" template("<$PRI>$ISODATE $HOST $MSG\n"); };
On the client. On the server no changes are necessary it will autodetect the timestamp as received from the network.
Except that when I try to use the $ISODATE in the "on the wire" tcp connection in syslog-ng 2.0.8 (both ends) syslog-ng didn't parse the message correctly at all. It behaved just like there was no time or host in the message at all. template accounting { template("<030>$R_ISODATE $HOST dsmacct: UVIC_ADM1: $MSG\n"); template_escape(no); }; options { sync(0); log_fifo_size(100000); use_fqdn(yes); keep_hostname(no); chain_hostnames(no); time_reap(60); time_reopen(5); }; I just switched to $R_DATE and all works. I assumed that the ISODATE was just not handled by syslog-ng on an incoming connection as it is well outside the RFC. Evan. -- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria