[syslog-ng]Old log messages showing up followed by reboot

Guillaume Fraysse gfraysse@cvf.fr
Fri, 18 Oct 2002 16:42:53 +0200 

Hello everyone,

First step, let me introduce myself, my name is Guillaume Fraysse and I'm a French software engineer in an IT compagny. I just subscribed to this list because I haven't found anything about a problem I encountered when googling and browsing the archives of the list.

I, along with some fellow workers of mine, juste experienced a very strange behaviour. A linux (2.4.8, debian) server unexpectingly rebooted and while checking the logs we found out that at the time of the reboot nothing was to be found. Instead the last log messages (before the reboot) were from the day before. So the log file has old log messages right in the middle. Which gives something like that (I, of course, have blurred the logs)
Oct 18 13:29:07 some_home_app some_message
Oct 17 21:08:56 some_home_app some_old_message
Oct 17 21:08:57 some_home_app some_old_message
Oct 17 21:08:58 some_home_app some_old_message
Oct 17 21:08:59 some_home_app some_old_message
[...]
OcOct 18 13:43:50 some_host syslog-ng[136]: syslog-ng version 1.4.16 starting

(the OcOct isn't a typo, it's "as is")

It didn't happen only to one log file but to several of them (the excerpt above is taken from /var/log/messages) :
/var/log/debug
/var/log/messages
/var/log/syslog

Coincidentally those files are all the ones logging the facility used by one of our applications (let's say it's local4).

Here are the lines concerning /var/log/messages in the syslog-ng.conf file :

options { long_hostnames(off); sync(0); };
source src { unix-dgram("/dev/log"); internal(); };
destination messages { file("/var/log/messages" owner("root") group("group") perm(0640)); };
filter f_messages { level(info .. warn) and not facility(auth, authpriv, cron, daemon, local4); };
log { source(src); filter(f_messages); destination(messages); };

I assume it might not be a syslog-ng problem, more the way we use it, but does anyone have any idea about what could cause that behaviour ? Why do we see old messages like that ? And, even if they are old messages why aren't they logged with the current time ?

Cheers,
Guillaume