syslog-ng 3.0.4 not adjusting for daylight savings time
I have a red hat 3 system running 3.0.4 It did not successfully adjust for daylight savings time. Everything else on the system is fine - syslog is showing the correct time stamps, the system reports the correct time. Restart of syslog-ng, and shutting down both syslog and syslog-ng did not help. I didn't see anything in the lists addressing this, here are details of my syslog-ng: [fabric@netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V syslog-ng 3.0.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 Compile-Date: Aug 24 2009 16:54:31 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-SSL: off Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: off I didn't see anything in the man page for adjusting for time. I have keep_timestamp(no) configured in my conf file. The systems sending the syslog files time is correctly adjusted for daylight savings. Is this a bug in this particular version, or am I just missing the right flag or something? chris
On Wed, 2010-03-17 at 09:44 -0500, Chris Fabri wrote:
I have a red hat 3 system running 3.0.4 It did not successfully adjust for daylight savings time. Everything else on the system is fine - syslog is showing the correct time stamps, the system reports the correct time. Restart of syslog-ng, and shutting down both syslog and syslog-ng did not help. I didn't see anything in the lists addressing this, here are details of my syslog-ng:
[fabric@netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V syslog-ng 3.0.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 Compile-Date: Aug 24 2009 16:54:31 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-SSL: off Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: off
I didn't see anything in the man page for adjusting for time. I have keep_timestamp(no) configured in my conf file. The systems sending the syslog files time is correctly adjusted for daylight savings. Is this a bug in this particular version, or am I just missing the right flag or something? chris
You state that syslog is showing correct timestamps. Is that syslogd? Or where do you see the problem? -- Bazsi
On Thu, Mar 18, 2010 at 4:53 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2010-03-17 at 09:44 -0500, Chris Fabri wrote:
I have a red hat 3 system running 3.0.4 It did not successfully adjust for daylight savings time. Everything else on the system is fine - syslog is showing the correct time stamps, the system reports the correct time. Restart of syslog-ng, and shutting down both syslog and syslog-ng did not help. I didn't see anything in the lists addressing this, here are details of my syslog-ng:
[fabric@netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V syslog-ng 3.0.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 Compile-Date: Aug 24 2009 16:54:31 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-SSL: off Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: off
I didn't see anything in the man page for adjusting for time. I have keep_timestamp(no) configured in my conf file. The systems sending the syslog files time is correctly adjusted for daylight savings. Is this a bug in this particular version, or am I just missing the right flag or something? chris
You state that syslog is showing correct timestamps. Is that syslogd? Or where do you see the problem?
Problem is only with syslog-ng. syslogd is working fine. chris
On Thu, 2010-03-18 at 09:19 -0500, Chris Fabri wrote:
On Thu, Mar 18, 2010 at 4:53 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2010-03-17 at 09:44 -0500, Chris Fabri wrote:
I have a red hat 3 system running 3.0.4 It did not successfully adjust for daylight savings time. Everything else on the system is fine - syslog is showing the correct time stamps, the system reports the correct time. Restart of syslog-ng, and shutting down both syslog and syslog-ng did not help. I didn't see anything in the lists addressing this, here are details of my syslog-ng:
[fabric@netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V syslog-ng 3.0.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 Compile-Date: Aug 24 2009 16:54:31 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-SSL: off Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: off
I didn't see anything in the man page for adjusting for time. I have keep_timestamp(no) configured in my conf file. The systems sending the syslog files time is correctly adjusted for daylight savings. Is this a bug in this particular version, or am I just missing the right flag or something? chris
You state that syslog is showing correct timestamps. Is that syslogd? Or where do you see the problem?
Problem is only with syslog-ng. syslogd is working fine.
Can you give a more concrete example? Like the timezone you are in, the message that gets misinterpreted. syslog-ng should cope with timezones well. We had a recent related issue that it didn't work, but only in the transition window (e.g. for one hour until the DST becomes non-DST or vica versa) -- Bazsi
Balazs Scheidler wrote:
On Thu, 2010-03-18 at 09:19 -0500, Chris Fabri wrote:
On Thu, Mar 18, 2010 at 4:53 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2010-03-17 at 09:44 -0500, Chris Fabri wrote:
I have a red hat 3 system running 3.0.4 It did not successfully adjust for daylight savings time. Everything else on the system is fine - syslog is showing the correct time stamps, the system reports the correct time. Restart of syslog-ng, and shutting down both syslog and syslog-ng did not help. I didn't see anything in the lists addressing this, here are details of my syslog-ng:
[fabric@netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V syslog-ng 3.0.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 Compile-Date: Aug 24 2009 16:54:31 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-SSL: off Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: off
I didn't see anything in the man page for adjusting for time. I have keep_timestamp(no) configured in my conf file. The systems sending the syslog files time is correctly adjusted for daylight savings. Is this a bug in this particular version, or am I just missing the right flag or something? chris
You state that syslog is showing correct timestamps. Is that syslogd? Or where do you see the problem?
Problem is only with syslog-ng. syslogd is working fine.
Can you give a more concrete example? Like the timezone you are in, the message that gets misinterpreted.
syslog-ng should cope with timezones well. We had a recent related issue that it didn't work, but only in the transition window (e.g. for one hour until the DST becomes non-DST or vica versa)
I'm in Chicago so US/Central which is -0600 in Winter and -0500 in Summer. Here's an example of the log: Mar 22 11:34:34 netlog-e0 su(pam_unix)[4974]: session opened for user root by ... Mar 22 10:38:16 netlog-e0 netlog syslog-ng[20695]: Log statistics ... Here's the important part of the configuration concerning time: options { use_dns(yes); # syslog-ng blocks on DNS lookups use_fqdn(no); # fully qualified domain name dns_cache(yes); # syslog-ng internal dns caching keep_hostname(no); # hostname from syslog message chain_hostnames(no); # add resolved host name keep_timestamp(no); # use received time v3 # use_time_recvd(yes); # time from syslog message v2 }; # syslog-ng internal messages source src_internal { internal(); }; # increase max number of tcp sources source src { tcp(max-connections(100)); }; Pat.
On Mon, 2010-03-22 at 12:01 -0500, Patrick A. Green wrote:
Balazs Scheidler wrote:
On Thu, 2010-03-18 at 09:19 -0500, Chris Fabri wrote:
On Thu, Mar 18, 2010 at 4:53 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2010-03-17 at 09:44 -0500, Chris Fabri wrote:
I have a red hat 3 system running 3.0.4 It did not successfully adjust for daylight savings time. Everything else on the system is fine - syslog is showing the correct time stamps, the system reports the correct time. Restart of syslog-ng, and shutting down both syslog and syslog-ng did not help. I didn't see anything in the lists addressing this, here are details of my syslog-ng:
[fabric@netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V syslog-ng 3.0.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 Compile-Date: Aug 24 2009 16:54:31 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-SSL: off Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: off
I didn't see anything in the man page for adjusting for time. I have keep_timestamp(no) configured in my conf file. The systems sending the syslog files time is correctly adjusted for daylight savings. Is this a bug in this particular version, or am I just missing the right flag or something? chris
You state that syslog is showing correct timestamps. Is that syslogd? Or where do you see the problem?
Problem is only with syslog-ng. syslogd is working fine.
Can you give a more concrete example? Like the timezone you are in, the message that gets misinterpreted.
syslog-ng should cope with timezones well. We had a recent related issue that it didn't work, but only in the transition window (e.g. for one hour until the DST becomes non-DST or vica versa)
I'm in Chicago so US/Central which is -0600 in Winter and -0500 in Summer.
Here's an example of the log:
Mar 22 11:34:34 netlog-e0 su(pam_unix)[4974]: session opened for user root by ... Mar 22 10:38:16 netlog-e0 netlog syslog-ng[20695]: Log statistics ...
Here's the important part of the configuration concerning time:
and which is the expected time? 11:34 or 10:38?
options { use_dns(yes); # syslog-ng blocks on DNS lookups use_fqdn(no); # fully qualified domain name dns_cache(yes); # syslog-ng internal dns caching keep_hostname(no); # hostname from syslog message chain_hostnames(no); # add resolved host name keep_timestamp(no); # use received time v3 # use_time_recvd(yes); # time from syslog message v2 }; # syslog-ng internal messages source src_internal { internal(); }; # increase max number of tcp sources source src { tcp(max-connections(100)); };
-- Bazsi
Balazs Scheidler wrote:
On Mon, 2010-03-22 at 12:01 -0500, Patrick A. Green wrote:
Balazs Scheidler wrote:
On Thu, 2010-03-18 at 09:19 -0500, Chris Fabri wrote:
On Thu, Mar 18, 2010 at 4:53 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2010-03-17 at 09:44 -0500, Chris Fabri wrote:
I have a red hat 3 system running 3.0.4 It did not successfully adjust for daylight savings time. Everything else on the system is fine - syslog is showing the correct time stamps, the system reports the correct time. Restart of syslog-ng, and shutting down both syslog and syslog-ng did not help. I didn't see anything in the lists addressing this, here are details of my syslog-ng:
[fabric@netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V syslog-ng 3.0.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 Compile-Date: Aug 24 2009 16:54:31 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-SSL: off Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: off
I didn't see anything in the man page for adjusting for time. I have keep_timestamp(no) configured in my conf file. The systems sending the syslog files time is correctly adjusted for daylight savings. Is this a bug in this particular version, or am I just missing the right flag or something? chris
You state that syslog is showing correct timestamps. Is that syslogd? Or where do you see the problem?
Problem is only with syslog-ng. syslogd is working fine.
Can you give a more concrete example? Like the timezone you are in, the message that gets misinterpreted.
syslog-ng should cope with timezones well. We had a recent related issue that it didn't work, but only in the transition window (e.g. for one hour until the DST becomes non-DST or vica versa)
I'm in Chicago so US/Central which is -0600 in Winter and -0500 in Summer.
Here's an example of the log:
Mar 22 11:34:34 netlog-e0 su(pam_unix)[4974]: session opened for user root by ... Mar 22 10:38:16 netlog-e0 netlog syslog-ng[20695]: Log statistics ...
Here's the important part of the configuration concerning time:
and which is the expected time? 11:34 or 10:38?
10:38 should be 11:38.
options { use_dns(yes); # syslog-ng blocks on DNS lookups use_fqdn(no); # fully qualified domain name dns_cache(yes); # syslog-ng internal dns caching keep_hostname(no); # hostname from syslog message chain_hostnames(no); # add resolved host name keep_timestamp(no); # use received time v3 # use_time_recvd(yes); # time from syslog message v2 }; # syslog-ng internal messages source src_internal { internal(); }; # increase max number of tcp sources source src { tcp(max-connections(100)); };
Pat.
On Mon, 2010-03-22 at 14:21 -0500, Patrick A. Green wrote:
Balazs Scheidler wrote:
On Mon, 2010-03-22 at 12:01 -0500, Patrick A. Green wrote:
Balazs Scheidler wrote:
On Thu, 2010-03-18 at 09:19 -0500, Chris Fabri wrote:
On Thu, Mar 18, 2010 at 4:53 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2010-03-17 at 09:44 -0500, Chris Fabri wrote:
> I have a red hat 3 system running 3.0.4 It did not successfully > adjust for daylight savings time. Everything else on the system is > fine - syslog is showing the correct time stamps, the system reports > the correct time. Restart of syslog-ng, and shutting down both > syslog and syslog-ng did not help. I didn't see anything in the lists > addressing this, here are details of my syslog-ng: > > [fabric@netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V > syslog-ng 3.0.4 > Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 > Compile-Date: Aug 24 2009 16:54:31 > Enable-Threads: off > Enable-Debug: off > Enable-GProf: off > Enable-Memtrace: off > Enable-Sun-STREAMS: off > Enable-Sun-Door: off > Enable-IPv6: on > Enable-Spoof-Source: off > Enable-TCP-Wrapper: on > Enable-SSL: off > Enable-SQL: off > Enable-Linux-Caps: on > Enable-Pcre: off > > > I didn't see anything in the man page for adjusting for time. I have > keep_timestamp(no) configured in my conf file. The systems sending > the syslog files time is correctly adjusted for daylight savings. Is > this a bug in this particular version, or am I just missing the right > flag or something? chris > > You state that syslog is showing correct timestamps. Is that syslogd? Or where do you see the problem?
Problem is only with syslog-ng. syslogd is working fine.
Can you give a more concrete example? Like the timezone you are in, the message that gets misinterpreted.
syslog-ng should cope with timezones well. We had a recent related issue that it didn't work, but only in the transition window (e.g. for one hour until the DST becomes non-DST or vica versa)
I'm in Chicago so US/Central which is -0600 in Winter and -0500 in Summer.
Here's an example of the log:
Mar 22 11:34:34 netlog-e0 su(pam_unix)[4974]: session opened for user root by ... Mar 22 10:38:16 netlog-e0 netlog syslog-ng[20695]: Log statistics ...
Here's the important part of the configuration concerning time:
and which is the expected time? 11:34 or 10:38?
10:38 should be 11:38.
And any time you restart syslog-ng, it stays the same? The difference between the two log messages is that one of them gets generated by syslog-ng, the other is sent by an application. Is this the same throughout your log file (e.g. all syslog-ng messages are off, while normal logs are OK?) Are these logs received from a remote host, or they are both local? Could you please give more information about your environment? I've added your testcase to my unit test collection and it seems to detect the timezone offset properly: diff --git a/tests/unit/test_zone.c b/tests/unit/test_zone.c index 5f9a044..ef9a8ba 100644 --- a/tests/unit/test_zone.c +++ b/tests/unit/test_zone.c @@ -158,6 +158,10 @@ main(int argc, char *argv[]) testcase("NZ", 1111240799, 13*3600); /* Mar 20 02:00:00 2005 (NZT) +1200 */ testcase("NZ", 1111240800, 12*3600); + + testcase("US/Central", 1269337645, -5*3600); + testcase("US/Central", 1266879600, -6*3600); + now = time(NULL); Are you sure syslog-ng's local timezone is properly set? Is syslog-ng running in a chroot? If it is, is the timezone in the chroot properly set? -- Bazsi
Balazs Scheidler wrote:
On Mon, 2010-03-22 at 14:21 -0500, Patrick A. Green wrote:
Balazs Scheidler wrote:
On Mon, 2010-03-22 at 12:01 -0500, Patrick A. Green wrote:
Balazs Scheidler wrote:
On Thu, 2010-03-18 at 09:19 -0500, Chris Fabri wrote:
On Thu, Mar 18, 2010 at 4:53 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
> On Wed, 2010-03-17 at 09:44 -0500, Chris Fabri wrote: > > > >> I have a red hat 3 system running 3.0.4 It did not successfully >> adjust for daylight savings time. Everything else on the system is >> fine - syslog is showing the correct time stamps, the system reports >> the correct time. Restart of syslog-ng, and shutting down both >> syslog and syslog-ng did not help. I didn't see anything in the lists >> addressing this, here are details of my syslog-ng: >> >> [fabric@netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V >> syslog-ng 3.0.4 >> Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 >> Compile-Date: Aug 24 2009 16:54:31 >> Enable-Threads: off >> Enable-Debug: off >> Enable-GProf: off >> Enable-Memtrace: off >> Enable-Sun-STREAMS: off >> Enable-Sun-Door: off >> Enable-IPv6: on >> Enable-Spoof-Source: off >> Enable-TCP-Wrapper: on >> Enable-SSL: off >> Enable-SQL: off >> Enable-Linux-Caps: on >> Enable-Pcre: off >> >> >> I didn't see anything in the man page for adjusting for time. I have >> keep_timestamp(no) configured in my conf file. The systems sending >> the syslog files time is correctly adjusted for daylight savings. Is >> this a bug in this particular version, or am I just missing the right >> flag or something? chris >> >> >> > You state that syslog is showing correct timestamps. Is that syslogd? Or > where do you see the problem? > > > > Problem is only with syslog-ng. syslogd is working fine.
Can you give a more concrete example? Like the timezone you are in, the message that gets misinterpreted.
syslog-ng should cope with timezones well. We had a recent related issue that it didn't work, but only in the transition window (e.g. for one hour until the DST becomes non-DST or vica versa)
I'm in Chicago so US/Central which is -0600 in Winter and -0500 in Summer.
Here's an example of the log:
Mar 22 11:34:34 netlog-e0 su(pam_unix)[4974]: session opened for user root by ... Mar 22 10:38:16 netlog-e0 netlog syslog-ng[20695]: Log statistics ...
Here's the important part of the configuration concerning time:
and which is the expected time? 11:34 or 10:38?
10:38 should be 11:38.
And any time you restart syslog-ng, it stays the same? The difference between the two log messages is that one of them gets generated by syslog-ng, the other is sent by an application.
Here's a more detailed log that shows the consistency: Mar 18 06:55:02 netlog-e0 netlog syslog-ng[18858]: Termination requested via signal, terminating; Mar 18 06:55:02 netlog-e0 netlog syslog-ng[18858]: syslog-ng shutting down; version='3.0.4' Mar 18 06:55:02 netlog-e0 daemon/syslog-ng[18858]: Error removing pid file; file='/var/run/syslog-ng.pid', error='No such file or directory' Mar 18 07:55:02 netlog-e0 syslog-ng: syslog-ng shutdown succeeded Mar 18 06:55:02 netlog-e0 netlog syslog-ng[20656]: Syslog connection established; fd='6', server='AF_INET(129.105.XXX.XXX:514)', local='AF_INET(0.0.0.0:0)' Mar 18 07:55:02 netlog-e0 syslog-ng: syslog-ng: Error creating pid file; file='/var/run/syslog-ng.pid', error='No such file or directory' Mar 18 06:55:02 netlog-e0 netlog syslog-ng[20656]: Syslog connection established; fd='7', server='AF_UNIX(/dev/log)', local='AF_UNIX(anonymous)' Mar 18 06:55:02 netlog-e0 netlog syslog-ng[20656]: syslog-ng starting up; version='3.0.4' Mar 18 06:55:02 netlog-e0 netlog syslog-ng[20656]: Error opening control socket, bind() failed; socket='/usr/local/var/syslog-ng.ctl', error='No such file or directory (2)' Mar 18 07:55:03 netlog-e0 syslog-ng: syslog-ng startup succeeded Mar 18 06:58:13 netlog-e0 netlog syslog-ng[20656]: Termination requested via signal, terminating; Mar 18 06:58:13 netlog-e0 daemon/syslog-ng[20656]: Error removing pid file; file='/var/run/syslog-ng.pid', error='No such file or directory' Mar 18 07:58:13 netlog-e0 syslog-ng: syslog-ng shutdown succeeded Mar 18 06:58:15 netlog-e0 netlog syslog-ng[20695]: Syslog connection established; fd='6', server='AF_INET(129.105.XXX.XXX:514)', local='AF_INET(0.0.0.0:0)' Mar 18 06:58:15 netlog-e0 netlog syslog-ng[20695]: Syslog connection established; fd='7', server='AF_UNIX(/dev/log)', local='AF_UNIX(anonymous)' Mar 18 07:58:15 netlog-e0 syslog-ng: syslog-ng: Error creating pid file; file='/var/run/syslog-ng.pid', error='No such file or directory' Mar 18 06:58:15 netlog-e0 netlog syslog-ng[20695]: syslog-ng starting up; version='3.0.4' Mar 18 06:58:15 netlog-e0 netlog syslog-ng[20695]: Error opening control socket, bind() failed; socket='/usr/local/var/syslog-ng.ctl', error='No such file or directory (2)' Mar 18 07:58:16 netlog-e0 syslog-ng: syslog-ng startup succeeded Mar 18 07:08:15 netlog-e0 netlog syslog-ng[20695]: Log statistics .......
Is this the same throughout your log file (e.g. all syslog-ng messages are off, while normal logs are OK?)
The above shows this as well. Here's more: Mar 17 09:42:52 netlog-e0 sshd(pam_unix)[18977]: session opened for user roger by (uid=0) Mar 17 08:43:11 netlog-e0 netlog syslog-ng[18858]: Log statistics..... Mar 17 09:43:50 netlog-e0 sshd(pam_unix)[19023]: session opened for user fabric by (uid=0) Mar 17 09:52:52 netlog-e0 sshd(pam_unix)[18892]: session closed for user fabric Mar 17 08:53:11 netlog-e0 netlog syslog-ng[18858]: Log statistics..... Mar 17 09:59:07 netlog-e0 sshd(pam_unix)[19023]: session closed for user fabric Mar 17 09:03:11 netlog-e0 netlog syslog-ng[18858]: Log statistics..... Mar 17 09:13:11 netlog-e0 netlog syslog-ng[18858]: Log statistics.....
Are these logs received from a remote host, or they are both local? Could you please give more information about your environment?
99% of the messages are coming from remote sources. We have routers, switches, firewalls, and nearly anything else that has syslog exporting come to this server. The system itself is a RHEL3 server. It's tzdata package is up to date.
I've added your testcase to my unit test collection and it seems to detect the timezone offset properly:
diff --git a/tests/unit/test_zone.c b/tests/unit/test_zone.c index 5f9a044..ef9a8ba 100644 --- a/tests/unit/test_zone.c +++ b/tests/unit/test_zone.c @@ -158,6 +158,10 @@ main(int argc, char *argv[]) testcase("NZ", 1111240799, 13*3600); /* Mar 20 02:00:00 2005 (NZT) +1200 */ testcase("NZ", 1111240800, 12*3600); + + testcase("US/Central", 1269337645, -5*3600); + testcase("US/Central", 1266879600, -6*3600); +
now = time(NULL);
Are you sure syslog-ng's local timezone is properly set? Is syslog-ng running in a chroot? If it is, is the timezone in the chroot properly set?
contents of /etc/sysconfig/clock: ZONE="US/Central" UTC=true ARC=false We are not running a chroot environment. -- Patrick A. Green Systems Engineer Northwestern University Information Technology Network Transport pgreen@northwestern.edu 847-467-5878 / Fax: 847-467-5690
Balazs Scheidler wrote:
Are you sure syslog-ng's local timezone is properly set? Is syslog-ng running in a chroot? If it is, is the timezone in the chroot properly set?
We are in fact running chroot. Is there something more than /etc/localtime that needs to be put in the chroot environment? -- Patrick A. Green Systems Engineer Northwestern University Information Technology Network Transport pgreen@northwestern.edu 847-467-5878 / Fax: 847-467-5690
Patrick A. Green wrote:
Balazs Scheidler wrote:
Are you sure syslog-ng's local timezone is properly set? Is syslog-ng running in a chroot? If it is, is the timezone in the chroot properly set?
We are in fact running chroot. Is there something more than /etc/localtime that needs to be put in the chroot environment?
I was able to recreate this in a lab environment. RHEL3.9 These packages were required to make 3.0.4 run: pkgconfig-0.18 eventlog-0.2.5 glib-2.18.4 -- Patrick A. Green Systems Engineer Northwestern University Information Technology Network Transport pgreen@northwestern.edu 847-467-5878 / Fax: 847-467-5690
On Thu, 2010-03-25 at 08:49 -0500, Patrick A. Green wrote:
Patrick A. Green wrote:
Balazs Scheidler wrote:
Are you sure syslog-ng's local timezone is properly set? Is syslog-ng running in a chroot? If it is, is the timezone in the chroot properly set?
We are in fact running chroot. Is there something more than /etc/localtime that needs to be put in the chroot environment?
I was able to recreate this in a lab environment.
RHEL3.9
These packages were required to make 3.0.4 run:
pkgconfig-0.18 eventlog-0.2.5 glib-2.18.4
Hi, We've got an unrelated bug report which is similar to this one. I've ported that fix to the OSE right now, can you please test if this patch fixes the issue for you? commit 76fba26d259036f0b6ffc6aafb5ca24a2d186594 Author: Juhasz Viktor <jviktor@balabit.hu> Date: Sun Oct 25 02:15:17 2009 +0100 [timestamp] solving the daylight saving problem (fixes: #20182) The problem was that the local services (CRON, dnsmasq) sends BSD timestamp which hasn't any zone information and we assumed that there wasn't daylight saving, so set the tm.tm_isdst to -1. The solution is that let's assume that the correct tm_isdst value is what we get from the current local time. If timezone isn't set, use the local one and calculate the correct time diff --git a/src/logmsg.c b/src/logmsg.c index b0226c5..5855f09 100644 --- a/src/logmsg.c +++ b/src/logmsg.c @@ -1047,8 +1047,9 @@ log_msg_parse_date(LogMessage *self, const guchar **data, gint *length, guchar * p = (guchar *) strptime((gchar *) date, "%b %e %H:%M:%S", &tm); if (!p || (p && *p)) goto error; - - tm.tm_isdst = -1; + + /* In case of daylight saving let's assume that the message came under daylight saving also */ + tm.tm_isdst = nowtm.tm_isdst; tm.tm_year = nowtm.tm_year; if (tm.tm_mon > nowtm.tm_mon + 1) tm.tm_year--; @@ -1078,12 +1079,16 @@ log_msg_parse_date(LogMessage *self, const guchar **data, gint *length, guchar * * (tm.tm_hour - * unnormalized_hour) part fixes up. */ if (self->timestamps[LM_TS_STAMP].zone_offset == -1) - self->timestamps[LM_TS_STAMP].zone_offset = assume_timezone; - - if (self->timestamps[LM_TS_STAMP].zone_offset != -1) - self->timestamps[LM_TS_STAMP].time.tv_sec = self->timestamps[LM_TS_STAMP].time.tv_sec + get_local_timezone_ofs(self->timestamps[LM_TS_STAMP].time.tv_sec) - (tm.tm_hour - unnormalized_hour) * 3600 - self->timestamps[LM_TS_STAMP].zone_offset; - else - self->timestamps[LM_TS_STAMP].zone_offset = get_local_timezone_ofs(self->timestamps[LM_TS_STAMP].time.tv_sec); + { + self->timestamps[LM_TS_STAMP].zone_offset = assume_timezone; + } + if (self->timestamps[LM_TS_STAMP].zone_offset == -1) + { + self->timestamps[LM_TS_STAMP].zone_offset = get_local_timezone_ofs(self->timestamps[LM_TS_STAMP].time.tv_sec); + } + self->timestamps[LM_TS_STAMP].time.tv_sec = self->timestamps[LM_TS_STAMP].time.tv_sec + + get_local_timezone_ofs(self->timestamps[LM_TS_STAMP].time.tv_sec) - + (tm.tm_hour - unnormalized_hour) * 3600 - self->timestamps[LM_TS_STAMP].zone_offset; *data = src; *length = left; -- Bazsi
On Sun, Apr 4, 2010 at 3:44 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Thu, 2010-03-25 at 08:49 -0500, Patrick A. Green wrote:
Patrick A. Green wrote:
Balazs Scheidler wrote:
Are you sure syslog-ng's local timezone is properly set? Is syslog-ng running in a chroot? If it is, is the timezone in the chroot properly set?
We are in fact running chroot. Is there something more than /etc/localtime that needs to be put in the chroot environment?
I was able to recreate this in a lab environment.
RHEL3.9
These packages were required to make 3.0.4 run:
pkgconfig-0.18 eventlog-0.2.5 glib-2.18.4
Hi,
We've got an unrelated bug report which is similar to this one. I've ported that fix to the OSE right now, can you please test if this patch fixes the issue for you?
The time fixed itself Sunday, so it looks like syslog-ng somehow was using old timezone data. We'll give things a test in our test environment that we duplicated the problem in. chris
On Wed, 2010-03-17 at 09:44 -0500, Chris Fabri wrote:
I have a red hat 3 system running 3.0.4 It did not successfully adjust for daylight savings time. Everything else on the system is fine - syslog is showing the correct time stamps, the system reports the correct time. Restart of syslog-ng, and shutting down both syslog and syslog-ng did not help. I didn't see anything in the lists addressing this, here are details of my syslog-ng:
[fabric at netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V syslog-ng 3.0.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10 Compile-Date: Aug 24 2009 16:54:31 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: on Enable-SSL: off Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: off
I didn't see anything in the man page for adjusting for time. I have keep_timestamp(no) configured in my conf file. The systems sending the syslog files time is correctly adjusted for daylight savings. Is this a bug in this particular version, or am I just missing the right flag or something? chris
You state that syslog is showing correct timestamps. Is that syslogd? Or where do you see the problem? -- Bazsi syslogd has correct timestamps and syslog-ng does not. -- Patrick A. Green Systems Engineer Northwestern University Information Technology Network Transport pgreen@northwestern.edu 847-467-5878 / Fax: 847-467-5690
participants (3)
-
Balazs Scheidler
-
Chris Fabri
-
Patrick A. Green