$YEAR/$MONTH/$DAY generates always 2002/12/31
Hello, I have PLD Linux kernel 2.4.20 and syslog-ng-1.6.0-0.rc3.2 I put into into syslog-ng.conf lines (for test purpose): source net { udp(); }; destination hosts { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; log {source(net); destination(hosts); }; Now i can see directiories like that: /var/log/hosts/localhost/2003/2003/12/01 /var/log/hosts/localhost/2003/2003/12/02 that's OK. But also: /var/log/hosts/localhost/2002/12/31 Inside that dir files: auth, authpriv, local7. Dates inside above 3 files are OK. Anyone could help me? What's going on? Piotr Wolinski
Am 2003.12.02 12:36 schrieb Piotr Woliński:
Hello,
I have PLD Linux kernel 2.4.20 and syslog-ng-1.6.0-0.rc3.2 I put into into syslog-ng.conf lines (for test purpose): [...] Now i can see directiories like that: /var/log/hosts/localhost/2003/2003/12/01 /var/log/hosts/localhost/2003/2003/12/02 that's OK.
But also: /var/log/hosts/localhost/2002/12/31
Inside that dir files: auth, authpriv, local7.
upgrade to >=1.6.0rc4, it's a known bug Niels
On Tue, 2 Dec 2003, Niels Burmeister wrote:
Am 2003.12.02 12:36 schrieb Piotr Woliе└ski:
Hello,
I have PLD Linux kernel 2.4.20 and syslog-ng-1.6.0-0.rc3.2 I put into into syslog-ng.conf lines (for test purpose): [...] Now i can see directiories like that: /var/log/hosts/localhost/2003/2003/12/01 /var/log/hosts/localhost/2003/2003/12/02 that's OK.
But also: /var/log/hosts/localhost/2002/12/31
Inside that dir files: auth, authpriv, local7.
upgrade to >=1.6.0rc4, it's a known bug
That "bug" is still there, but the problem appears to come from the locale settings (locale). I tried to strace data from logger to syslog-ng (see the contents of my syslog-ng.conf at the end of this message). I. In my case, LC_TIME="ru_RU.koi8r". 1. logger -p local4.info abcdefgh 2. strace -p syslog-ng.pid -t 15:09:03 read(9, "<166>\361\316\327 28 15:09:03 tsp: abcdef"..., 2048) = 35 ^^^^^^^^^^^^^^^^^ - russian date format of "15:09:03 Wed Jan 28" 15:09:03 time(NULL) = 1075291743 15:09:03 time(NULL) = 1075291743 15:09:03 open("/var/log/messages.local4.info", O_WRONLY|O_NONBLOCK|O_APPEND|O_CR EAT|O_NOCTTY|O_LARGEFILE, 0600) = 10 15:09:03 chown32(0x8083ec0, 0, 0) = 0 15:09:03 chmod("/var/log/messages.local4.info", 0600) = 0 15:09:03 fcntl64(10, F_GETFL) = 0x8c01 (flags O_WRONLY|O_NONBLOCK|O_AP PEND|O_LARGEFILE) 15:09:03 fcntl64(10, F_SETFL, O_WRONLY|O_NONBLOCK|O_APPEND|O_LARGEFILE) = 0 15:09:03 fcntl64(10, F_SETFD, FD_CLOEXEC) = 0 15:09:03 time(NULL) = 1075291743 15:09:03 time(NULL) = 1075291743 15:09:03 open("/var/drweb/log/mail/drweb-postfix-31.12.2003", O_WRONLY|O_NONBLOC K|O_APPEND|O_CREAT|O_NOCTTY|O_LARGEFILE, 0600) = 20 15:09:03 chown32(0x8076a30, 0, 0) = 0 15:09:03 chmod("/var/drweb/log/mail/drweb-postfix-31.12.2003", 0600) = 0 15:09:03 fcntl64(20, F_GETFL) = 0x8c01 (flags O_WRONLY|O_NONBLOCK|O_AP PEND|O_LARGEFILE) 15:09:03 fcntl64(20, F_SETFL, O_WRONLY|O_NONBLOCK|O_APPEND|O_LARGEFILE) = 0 15:09:03 fcntl64(20, F_SETFD, FD_CLOEXEC) = 0 15:09:03 time(NULL) = 1075291743 15:09:03 time(NULL) = 1075291743 15:09:03 time(NULL) = 1075291743 15:09:03 write(20, "\361\316\327 28 15:09:03 canopus tsp: abc"..., 38) = 38 15:09:03 write(10, "\361\316\327 28 15:09:03 canopus tsp: abc"..., 38) = 38 15:09:03 read(9, "", 2048) = 0 15:09:03 time(NULL) = 1075291743 15:09:03 time(NULL) = 1075291743 15:09:03 close(9) This resulted in the generation of 'drweb-postfix-31.12.2003' file in addition to 'drweb-postfix-28.01.2004' (the current date was 'Wed Jan 28 17:42:48 MSK 2004'), and other application (not "logger" write to drweb-postfix-28.01.2004. II. I changed LC_TIME="ru_RU.koi8r" to LC_TIME="en_US" and syslog-ng worked fine: 1. logger -p local4.info abcdefgh 2. {canopus} fgrep abcde drweb-postfix-28.01.2004 Jan 28 17:45:59 canopus tsp: abcdefgh 3. No 'drweb-postfix-31.12.2003' was generated Dear author, is it possible to fix (add code to resolve non en_US locale) this problem? Many thanks in advance. syslog-ng.conf: destination d_drwebp { file("/var/drweb/log/mail/drweb-postfix-$DAY.$MONTH.$YEAR"); }; filter f_filter19 { facility(local4); }; log { source(s_sys); filter(f_filter19); destination(d_drwebp); }; -- Serge P. Torop St.Petersburg, Russia
On Tue, 2004-02-03 at 10:43, Serge Torop wrote:
On Tue, 2 Dec 2003, Niels Burmeister wrote:
Am 2003.12.02 12:36 schrieb Piotr Woliе└ski:
Hello,
I have PLD Linux kernel 2.4.20 and syslog-ng-1.6.0-0.rc3.2 I put into into syslog-ng.conf lines (for test purpose): [...] Now i can see directiories like that: /var/log/hosts/localhost/2003/2003/12/01 /var/log/hosts/localhost/2003/2003/12/02 that's OK.
But also: /var/log/hosts/localhost/2002/12/31
Inside that dir files: auth, authpriv, local7.
upgrade to >=1.6.0rc4, it's a known bug
That "bug" is still there, but the problem appears to come from the locale settings (locale).
I tried to strace data from logger to syslog-ng (see the contents of my syslog-ng.conf at the end of this message).
I.
In my case, LC_TIME="ru_RU.koi8r".
1. logger -p local4.info abcdefgh 2. strace -p syslog-ng.pid -t
15:09:03 read(9, "<166>\361\316\327 28 15:09:03 tsp: abcdef"..., 2048) = 35 ^^^^^^^^^^^^^^^^^ - russian date format of "15:09:03 Wed Jan 28"
I think logger the one which should be fixed. it should send its timestamp independently of its current locale. The date stamp is part of the syslog protocol. syslog-ng parses this date stamp using strptime() like this: strptime((char *) lm->date->data, "%b %e %H:%M:%S", &tm) The call to strptime() probably fails, and the timestamp you get has no real connection to the timestamp received in the message. and autodetects year (as it is not included in the message) like this: tm.tm_year = nowtm->tm_year; if (tm.tm_mon > nowtm->tm_mon + 1) tm.tm_year--; tm is the received timestamp, nowtm is the current time
15:09:03 time(NULL) = 1075291743 15:09:03 time(NULL) = 1075291743 15:09:03 open("/var/log/messages.local4.info",
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Hello, all. Is possible to run syslog-ng into the chroot jail? -- Serge P. Torop St.Petersburg, Russia
2004-02-20, p keltezéssel 11:50-kor Serge Torop ezt írta:
Hello, all.
Is possible to run syslog-ng into the chroot jail?
yes. it can even chroot itself, so no need to have libc in the jail. check out the -C parameter. ps: you might not be able to fetch local messages, but you could do that by using a separate syslogd/syslog-ng process outside and inside the jail. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Sun, Feb 22, 2004 at 12:00:13PM +0100, Balazs Scheidler wrote:
2004-02-20, p keltez?ssel 11:50-kor Serge Torop ezt ?rta:
Hello, all.
Is possible to run syslog-ng into the chroot jail?
yes. it can even chroot itself, so no need to have libc in the jail.
check out the -C parameter.
ps: you might not be able to fetch local messages, but you could do that by using a separate syslogd/syslog-ng process outside and inside the jail.
Someone who actually does this should send the configs to me and/or the list so that it can get into the FAQ. I want something used in production (or I could just come up with it myself ;). Thanks. -- Nate "To err is human but to really foul things up requires a computer." - Anonymous in 'Farmer's Almanac for 1978' 1977
On Tue, Dec 02, 2003 at 12:36:05PM +0100, Piotr Woliński wrote:
Hello,
I have PLD Linux kernel 2.4.20 and syslog-ng-1.6.0-0.rc3.2 I put into into syslog-ng.conf lines (for test purpose):
source net { udp(); }; destination hosts { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; log {source(net); destination(hosts); };
Now i can see directiories like that: /var/log/hosts/localhost/2003/2003/12/01 /var/log/hosts/localhost/2003/2003/12/02 that's OK.
But also: /var/log/hosts/localhost/2002/12/31
as the year is not included in incoming messages syslog-ng tries to guess a year based on current time and the received time. as there was a change in this area in 1.6.0rc4 try that version and check whether it fixes your problem. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Użytkownik Balazs Scheidler napisał:
as the year is not included in incoming messages syslog-ng tries to guess a year based on current time and the received time. as there was a change in this area in 1.6.0rc4 try that version and check whether it fixes your problem.
I tried. It doesn't fix. :-( You wrote that year is not included. But I have wrong month and day too. Piotr Woliński
On Tue, 2 Dec 2003, Balazs Scheidler wrote:
On Tue, Dec 02, 2003 at 12:36:05PM +0100, Piotr WoliЯski wrote:
Hello,
I have PLD Linux kernel 2.4.20 and syslog-ng-1.6.0-0.rc3.2 I put into into syslog-ng.conf lines (for test purpose):
source net { udp(); }; destination hosts { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; log {source(net); destination(hosts); };
Now i can see directiories like that: /var/log/hosts/localhost/2003/2003/12/01 /var/log/hosts/localhost/2003/2003/12/02 that's OK.
But also: /var/log/hosts/localhost/2002/12/31
as the year is not included in incoming messages syslog-ng tries to guess a year based on current time and the received time. as there was a change in this area in 1.6.0rc4 try that version and check whether it fixes your problem.
I'm try syslog-ng 1.6.0rc4: # /usr/local/sbin/syslog-ng -V syslog-ng 1.6.0rc4 The problem remained. My conf: destination d_daemons { file("/var/log/daemons/daemons-info.$MONTH.$YEAR"); }; # ls -1 /var/log/daemons daemons-info.10.2003 daemons-info.11.2003 daemons-info.12.2003 - !! -- Serge P. Torop St.Petersburg, Russia
On Wed, 3 Dec 2003, Serge Torop wrote:
On Tue, 2 Dec 2003, Balazs Scheidler wrote:
On Tue, Dec 02, 2003 at 12:36:05PM +0100, Piotr WoliЯski wrote:
Hello,
I have PLD Linux kernel 2.4.20 and syslog-ng-1.6.0-0.rc3.2 I put into into syslog-ng.conf lines (for test purpose):
source net { udp(); }; destination hosts { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; log {source(net); destination(hosts); };
Now i can see directiories like that: /var/log/hosts/localhost/2003/2003/12/01 /var/log/hosts/localhost/2003/2003/12/02 that's OK.
But also: /var/log/hosts/localhost/2002/12/31
as the year is not included in incoming messages syslog-ng tries to guess a year based on current time and the received time. as there was a change in this area in 1.6.0rc4 try that version and check whether it fixes your problem.
I'm try syslog-ng 1.6.0rc4:
# /usr/local/sbin/syslog-ng -V syslog-ng 1.6.0rc4
The problem remained.
My conf:
destination d_daemons { file("/var/log/daemons/daemons-info.$MONTH.$YEAR"); };
# ls -1 /var/log/daemons
daemons-info.10.2003 daemons-info.11.2003 daemons-info.12.2003 - !!
Sorry, wrong dir. This is correct: # ls -1 /var/log/fetchmail fetchmaillog.03.12.2003 fetchmaillog.31.12.2002 - !!! -- Serge P. Torop St.Petersburg, Russia
On Wed, Dec 03, 2003 at 04:20:09PM +0300, Serge Torop wrote:
On Wed, 3 Dec 2003, Serge Torop wrote:
Sorry, wrong dir. This is correct:
# ls -1 /var/log/fetchmail
fetchmaillog.03.12.2003 fetchmaillog.31.12.2002 - !!!
Then as last resort, the sender probably sent an incorrent date, you might have a clock skew or something. Please check the incoming log message using either tcpdump or strace, or try $R_MONTH and $R_DAY for received time stamp, instead of the stamp within the message. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Uz.ytkownik Balazs Scheidler napisa?:
fetchmaillog.03.12.2003 fetchmaillog.31.12.2002 - !!!
Then as last resort, the sender probably sent an incorrent date, you might have a clock skew or something. Please check the incoming log message using either tcpdump or strace, or try $R_MONTH and $R_DAY for received time stamp, instead of the stamp within the message.
I don't thik so. In my example the same sender generates wrong and good date in the same moment. The problem is only for facility auth, authpriv, local7. -- _____________________________________________________ Piotr Wolin'ski Dom Finansowy QS
participants (6)
-
Balazs Scheidler
-
Nate Campi
-
Niels Burmeister
-
Piotr Wolin'ski
-
Piotr Woliński
-
Serge Torop