[syslog-ng] syslog-ng logging with wrong year
Balazs Scheidler
bazsi at balabit.hu
Wed Apr 9 14:38:40 CEST 2008
On Wed, 2008-04-09 at 13:02 +0100, G.W. Haywood wrote:
> Hi there,
>
> On Wed, 9 Apr 2008 Balazs Scheidler wrote:
>
> > ...the timestamp of the message does not contain a year, there's a
> > heuristic in syslog-ng to determine that.
> > ...
> > I'm reluctant to change this in 2.0 (the current algorithm has been
> > in place for about a decade now), however I can commit a patch to 2.1.
> > What do others think?
>
> If you do, please make it optional, disabled by default. It could be
> enabled by a command-line switch or by the configuration file options.
>
If I did that, there'd be no point in adding it in the first place. If I
changed everything in the way you describe there would be no end of
switches command line or otherwise that would control knobs inside
syslog-ng here and there. And I doubt users could make an educated guess
on how to set syslog-ng up.
It seems that the current heuristics is wrong whenever the time on the
client machine is in the future compared to the receiving end.
I was wrong about the "decade" old estimate, in syslog-ng 1.6.x this was
changed a couple of years back to:
tm.tm_year = nowtm->tm_year;
if (tm.tm_mon > nowtm->tm_mon + 1)
tm.tm_year--;
E.g. it requires _at least_ two months difference in order to assume
that the timestamps is in the past year.
It was changed here:
2001-06-11 Balazs Scheidler <bazsi at balabit.hu>
* src/log.c (parse_log_msg): fixed year recognition logic (reported
by <dj AT gregor.com>
This algorithm above is less intrusive to the one that I suggested in my
previous post, and as it seems has been tested in production for 5-6 years in
syslog-ng 1.6.x
Based on this I'm thinking about committing the same to both 2.0 and 2.1.
Any other comments?
--
Bazsi
More information about the syslog-ng
mailing list