[syslog-ng] syslog-ng logging with wrong year

Balazs Scheidler bazsi at balabit.hu
Wed Apr 9 21:23:31 CEST 2008


On Wed, 2008-04-09 at 09:20 -0400, Jean-Sebastien Pilon wrote:
> > 
> > And in addition, the timestamp of the message does not contain a year,
> > there's a heuristic in syslog-ng to determine that.
> >
> > Here's the heuristic used:
> >
> >       tm.tm_year = nowtm.tm_year;
> >       if (tm.tm_mon > nowtm.tm_mon)
> >         tm.tm_year--;
> >
> > E.g. if the current month is smaller than the month in the timestamp,
> > syslog-ng assumes that it comes from the previous year. Hmm... Maybe
> > this heuristic would be better:
> >
> >       tm.tm_year = nowtm.tm_year;
> >       if (tm.tm_mon == 11 && nowtm.tm_mon == 0)
> >         tm.tm_year--;
> >
> > E.g. the year is decreased only if the receiver's time is in January,
> > and the sender came in as December. This would not handle really
> skewed
> > timestamps, but your case would be covered.
> >
> > I'm reluctant to change this in 2.0 (the current algorithm has been in
> > place for about a decade now), however I can commit a patch to 2.1.
> What
> > do others think?
> >
> > And a side-note: the best solution is to use a timestamp that actually
> > includes the year information, like ISODATE.
> 
> 
> How can I set ISODATE?

You should use a template to override the format that syslog-ng uses by
default, like:

destination d1 { tcp("host" template("<$PRI>$ISODATE $HOST $MSG\n"); };

On the client. On the server no changes are necessary it will autodetect
the timestamp as received from the network.

-- 
Bazsi



More information about the syslog-ng mailing list