[syslog-ng] syslog-ng logging with wrong year

Wed Apr 9 08:51:24 CEST 2008

On Wed, 2008-04-09 at 07:05 +0100, Geller, Sandor (IT) wrote:
> Hi,
> 
> > Hello, 
> > 
> > We have a log collector receiving logs from several nodes and it is
> > logging in the wrong $YEAR directory every 1st of the month for some
> > host for about 2 minutes...
> 
> My first guess is that the system clock of the affected hosts might be
> skewed.
> 
> > We have 75 nodes sending logs, and we have a directory created under
> > /var/log/hosts/2007/*/01/hostname for about 3-4 host. 
> 
> Could you check the system clock of these?
> 
> > destination d_local
> > {
> >         file("/var/log/hosts/$YEAR/$MONTH/$DAY/$HOST");
> > };
> 
> These macros use the timestamp of the log message. Macros prefixed with
> R_ use the timestamp of the receiver (the syslog-ng server). So either
> the system clock of the hosts should be adjusted or the $R_YEAR,
> $R_MONTH, ... macros should be used. I'd check the system clock first.
> 
> Regards,

And in addition, the timestamp of the message does not contain a year,
there's a heuristic in syslog-ng to determine that.

Here's the heuristic used:

      tm.tm_year = nowtm.tm_year;
      if (tm.tm_mon > nowtm.tm_mon)
        tm.tm_year--;

E.g. if the current month is smaller than the month in the timestamp,
syslog-ng assumes that it comes from the previous year. Hmm... Maybe
this heuristic would be better:

      tm.tm_year = nowtm.tm_year;
      if (tm.tm_mon == 11 && nowtm.tm_mon == 0)
        tm.tm_year--;

E.g. the year is decreased only if the receiver's time is in January,
and the sender came in as December. This would not handle really skewed
timestamps, but your case would be covered.

I'm reluctant to change this in 2.0 (the current algorithm has been in
place for about a decade now), however I can commit a patch to 2.1. What
do others think?

And a side-note: the best solution is to use a timestamp that actually
includes the year information, like ISODATE.

-- 
Bazsi