[Bug 267] New: $YEAR on event in RFC 3164 format
https://bugzilla.balabit.com/show_bug.cgi?id=267 Summary: $YEAR on event in RFC 3164 format Product: syslog-ng Version: 3.3.x Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: dtgarry@hotmail.com Type of the Report: --- Estimated Hours: 0.0 I am using syslog-ng 3.3.4 Revision: /3.3.4.dfsg-2ubuntu1 Revision: /3.3.4.dfsg-2ubuntu1 I have a problem on the macro $YEAR when the event is in RFC 3164 format sometime the $YEAR extract the correct value of year, but not always. I test this problem on a computer with the current date, 9 january 2014, sending some event with these dates: - Dec 31 23:59:59, syslog-ng return the 2013 year; - Jan 1 00:00:01, syslog-ng return the 2014 year; - Feb 1 00:00:01, syslog-ng return the 2014 year; - Mar 1 00:00:01, syslog-ng return the 2013 year; how syslog-ng extract the year from an event when there is no year? Is it possible to configure correctly the syslog-ng? for testing I have configured syslog-ng to call my program "mytest" like this: destination d_tst { program("/etc/syslog-ng/sbin/mytest" template("<$PRI>$DATE $HOST $PROGRAM $MSGONLY $HOST $FACILITY $PRIORITY $LEVEL $TAG $YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $PROGRAM\n") template-escape(yes) ); }; on mytest program I log what syslog-ng has parsed; today, that is the 9th january 2014, I have sent to syslog-ng this string: <131>Dec 31 23:59:59 hostTest processTest some test on mytest I will receive: <131>Dec 31 23:59:59 hostTest processTest some test hostTest local0 err err 83 2013-12-31 23:59:59 processTest note the year is 2013 If I send this: <131>Jan 1 00:00:01 hostTest processTest some test I will receive: <131>Jan 1 00:00:01 hostTest processTest some test hostTest local0 err err 83 2014-01-01 00:00:01 processTest now the year is 2014 But I send this event that is in the future: <131>Feb 1 00:00:01 hostTest processTest some test I will receive: <131>Feb 1 00:00:01 hostTest processTest some test hostTest local0 err err 83 2014-02-01 00:00:01 processTest the year is 2014 If I send an event of march: <131>Mar 1 00:00:01 hostTest processTest some test I will receive: <131>Mar 1 00:00:01 hostTest processTest some test hostTest local0 err err 83 2013-03-01 00:00:01 processTest where the year is 2013 thank you. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=267 splintercode <dtgarry@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtgarry@hotmail.com --- Comment #1 from splintercode <dtgarry@hotmail.com> 2014-01-10 14:35:24 --- Hello, I have found on syslog-format.c, from line 385, these codes: /* detect if the message is coming from last year. If its * month is at least one larger than the current month. This * handles both clocks that are in the future, or in the * past: * in January we receive a message from December (past) => last year * in January we receive a message from February (future) => same year * in December we receive a message from January (future) => next year */ if (tm.tm_mon > nowtm.tm_mon + 1) tm.tm_year--; if (tm.tm_mon < nowtm.tm_mon - 1) tm.tm_year++; It seems that these codes is responsible of the strange situation; But I don't understand why? Is there an RFC referring to this? May be the best this code? if (tm.tm_mon > nowtm.tm_mon + 1) tm.tm_year--; I think that if the date of the event is over the current date, this means that this is an event of the past year, not of the future. May be the best to add a new parameter on syslog-ng.conf to configure this situation. What do you think about? Thank you. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=267 --- Comment #2 from Balazs Scheidler <bazsi@balabit.hu> 2014-01-19 13:49:50 --- (In reply to comment #1)
Hello,
I have found on syslog-format.c, from line 385, these codes:
/* detect if the message is coming from last year. If its * month is at least one larger than the current month. This * handles both clocks that are in the future, or in the * past: * in January we receive a message from December (past) => last year * in January we receive a message from February (future) => same year * in December we receive a message from January (future) => next year */ if (tm.tm_mon > nowtm.tm_mon + 1) tm.tm_year--; if (tm.tm_mon < nowtm.tm_mon - 1) tm.tm_year++;
It seems that these codes is responsible of the strange situation;
But I don't understand why? Is there an RFC referring to this?
no, it's an old heuristic to determine the information that is not there.
May be the best this code? if (tm.tm_mon > nowtm.tm_mon + 1) tm.tm_year--;
I think that if the date of the event is over the current date, this means that this is an event of the past year, not of the future.
May be the best to add a new parameter on syslog-ng.conf to configure this situation.
What do you think about?
I received similar reports and there's a preliminary patch here: https://github.com/balabit/syslog-ng/commit/8105aea13eb52fcf53f99d6297e86bca... However I didn't have enough time to think about the proposed solution there, so I haven't integrated it either. I'd love to receive feedback on the proposed patch and if two people come to the same conclusion (the one who submitted the patch above and you), I'd be willing to merge the patch without further ado. Thanks. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=267 --- Comment #3 from splintercode <dtgarry@hotmail.com> 2014-01-22 16:59:38 --- Thank you. I have tested the preliminary patch, but it generation more confusion; so for me it is not useful, and what's more it is also harmful. please, DON'T RELEASE IT! I think the these codes can resolve: int getYear_GapDay(const struct tm *eventTime, const struct tm *nowtm) { time_t t_eventTime, t_nowTime; struct tm save_eventTime = *eventTime; struct tm save_NowTime = *nowtm; int year = nowtm->tm_year; t_eventTime = mktime(&save_eventTime); t_nowTime = mktime(&save_NowTime); time_t seconds4Day = 60 * 60 * 24; // seconds in one day; // if the event time > 1 day from now if ((t_eventTime - t_nowTime) > (seconds4Day)) // the year of the event is the past year; year--; return(year); } the eventTime parameter is the event date/time read from the event; the nowtm is the current date/time; it test the date of the event and if it is over 1 day of the current date, assume that the event is referring of the last year. May be very interesting if on the macro $YEAR will be possible to pass a parameter, the number of days after it the year of the event will be the past year; this is the value that in the test I have called "seconds4Day" What do you think? -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=267 --- Comment #4 from Balazs Scheidler <bazsi@balabit.hu> 2014-01-24 09:38:26 --- Thanks for the suggestion. My issue with only leaving a single day as gap to determine if it was coming from the past year is that sometimes logs get delayed and sitting in a buffer somewhere. That can cause longer delays and 1 day is a stretch for sure, but it does happen. Also, I think we can safely assume that the client is sending logs from the current year, except when the log being sent is close to the beginning/end of the year, in which case differences in clocks can cause incorrectly recognized timestamps. The thinking behind the other suggestion was, that if a timestamp would be too much in the future, it is instead assumed to be in the past instead. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=267 --- Comment #5 from splintercode <dtgarry@hotmail.com> 2014-01-24 12:52:56 ---
The thinking behind the other suggestion was, that if a timestamp would be too much in the future, it is instead assumed to be in the past instead.
Yes, certainly 1 day is too low; probably 1 month, but .... is it too much difficult to add a new parameter on syslog-ng.conf, or to the macro $YEAR? So it is possibile to configure the gap period. Thank you. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=267 --- Comment #6 from Balazs Scheidler <bazsi@balabit.hu> 2014-01-31 12:25:19 --- shouldn't be too hard I suppose. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
bugzilla@bugzilla.balabit.com