[syslog-ng] syslog-ng 3.0.4 not adjusting for daylight savings time
Patrick A. Green
pgreen at northwestern.edu
Tue Mar 23 14:18:27 CET 2010
Balazs Scheidler wrote:
> On Mon, 2010-03-22 at 14:21 -0500, Patrick A. Green wrote:
>
>> Balazs Scheidler wrote:
>>
>>> On Mon, 2010-03-22 at 12:01 -0500, Patrick A. Green wrote:
>>>
>>>
>>>> Balazs Scheidler wrote:
>>>>
>>>>
>>>>> On Thu, 2010-03-18 at 09:19 -0500, Chris Fabri wrote:
>>>>>
>>>>>
>>>>>
>>>>>> On Thu, Mar 18, 2010 at 4:53 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Wed, 2010-03-17 at 09:44 -0500, Chris Fabri wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I have a red hat 3 system running 3.0.4 It did not successfully
>>>>>>>> adjust for daylight savings time. Everything else on the system is
>>>>>>>> fine - syslog is showing the correct time stamps, the system reports
>>>>>>>> the correct time. Restart of syslog-ng, and shutting down both
>>>>>>>> syslog and syslog-ng did not help. I didn't see anything in the lists
>>>>>>>> addressing this, here are details of my syslog-ng:
>>>>>>>>
>>>>>>>> [fabric at netlog dhcp]$ sudo /usr/local/sbin/syslog-ng -V
>>>>>>>> syslog-ng 3.0.4
>>>>>>>> Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#1b5d618e301ad94aa20e692ffba16469dece8d10
>>>>>>>> Compile-Date: Aug 24 2009 16:54:31
>>>>>>>> Enable-Threads: off
>>>>>>>> Enable-Debug: off
>>>>>>>> Enable-GProf: off
>>>>>>>> Enable-Memtrace: off
>>>>>>>> Enable-Sun-STREAMS: off
>>>>>>>> Enable-Sun-Door: off
>>>>>>>> Enable-IPv6: on
>>>>>>>> Enable-Spoof-Source: off
>>>>>>>> Enable-TCP-Wrapper: on
>>>>>>>> Enable-SSL: off
>>>>>>>> Enable-SQL: off
>>>>>>>> Enable-Linux-Caps: on
>>>>>>>> Enable-Pcre: off
>>>>>>>>
>>>>>>>>
>>>>>>>> I didn't see anything in the man page for adjusting for time. I have
>>>>>>>> keep_timestamp(no) configured in my conf file. The systems sending
>>>>>>>> the syslog files time is correctly adjusted for daylight savings. Is
>>>>>>>> this a bug in this particular version, or am I just missing the right
>>>>>>>> flag or something? chris
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> You state that syslog is showing correct timestamps. Is that syslogd? Or
>>>>>>> where do you see the problem?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Problem is only with syslog-ng. syslogd is working fine.
>>>>>>
>>>>>>
>>>>>>
>>>>> Can you give a more concrete example? Like the timezone you are in, the
>>>>> message that gets misinterpreted.
>>>>>
>>>>> syslog-ng should cope with timezones well. We had a recent related issue
>>>>> that it didn't work, but only in the transition window (e.g. for one
>>>>> hour until the DST becomes non-DST or vica versa)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> I'm in Chicago so US/Central which is -0600 in Winter and -0500 in Summer.
>>>>
>>>> Here's an example of the log:
>>>>
>>>> Mar 22 11:34:34 netlog-e0 su(pam_unix)[4974]: session opened for user
>>>> root by ...
>>>> Mar 22 10:38:16 netlog-e0 netlog syslog-ng[20695]: Log statistics ...
>>>>
>>>> Here's the important part of the configuration concerning time:
>>>>
>>>>
>>> and which is the expected time? 11:34 or 10:38?
>>>
>>>
>>>
>> 10:38 should be 11:38.
>>
>
> And any time you restart syslog-ng, it stays the same? The difference
> between the two log messages is that one of them gets generated by
> syslog-ng, the other is sent by an application.
>
Here's a more detailed log that shows the consistency:
Mar 18 06:55:02 netlog-e0 netlog syslog-ng[18858]: Termination requested
via signal, terminating;
Mar 18 06:55:02 netlog-e0 netlog syslog-ng[18858]: syslog-ng shutting
down; version='3.0.4'
Mar 18 06:55:02 netlog-e0 daemon/syslog-ng[18858]: Error removing pid
file; file='/var/run/syslog-ng.pid', error='No such file or directory'
Mar 18 07:55:02 netlog-e0 syslog-ng: syslog-ng shutdown succeeded
Mar 18 06:55:02 netlog-e0 netlog syslog-ng[20656]: Syslog connection
established; fd='6', server='AF_INET(129.105.XXX.XXX:514)',
local='AF_INET(0.0.0.0:0)'
Mar 18 07:55:02 netlog-e0 syslog-ng: syslog-ng: Error creating pid file;
file='/var/run/syslog-ng.pid', error='No such file or directory'
Mar 18 06:55:02 netlog-e0 netlog syslog-ng[20656]: Syslog connection
established; fd='7', server='AF_UNIX(/dev/log)', local='AF_UNIX(anonymous)'
Mar 18 06:55:02 netlog-e0 netlog syslog-ng[20656]: syslog-ng starting
up; version='3.0.4'
Mar 18 06:55:02 netlog-e0 netlog syslog-ng[20656]: Error opening control
socket, bind() failed; socket='/usr/local/var/syslog-ng.ctl', error='No
such file or directory (2)'
Mar 18 07:55:03 netlog-e0 syslog-ng: syslog-ng startup succeeded
Mar 18 06:58:13 netlog-e0 netlog syslog-ng[20656]: Termination requested
via signal, terminating;
Mar 18 06:58:13 netlog-e0 daemon/syslog-ng[20656]: Error removing pid
file; file='/var/run/syslog-ng.pid', error='No such file or directory'
Mar 18 07:58:13 netlog-e0 syslog-ng: syslog-ng shutdown succeeded
Mar 18 06:58:15 netlog-e0 netlog syslog-ng[20695]: Syslog connection
established; fd='6', server='AF_INET(129.105.XXX.XXX:514)',
local='AF_INET(0.0.0.0:0)'
Mar 18 06:58:15 netlog-e0 netlog syslog-ng[20695]: Syslog connection
established; fd='7', server='AF_UNIX(/dev/log)', local='AF_UNIX(anonymous)'
Mar 18 07:58:15 netlog-e0 syslog-ng: syslog-ng: Error creating pid file;
file='/var/run/syslog-ng.pid', error='No such file or directory'
Mar 18 06:58:15 netlog-e0 netlog syslog-ng[20695]: syslog-ng starting
up; version='3.0.4'
Mar 18 06:58:15 netlog-e0 netlog syslog-ng[20695]: Error opening control
socket, bind() failed; socket='/usr/local/var/syslog-ng.ctl', error='No
such file or directory (2)'
Mar 18 07:58:16 netlog-e0 syslog-ng: syslog-ng startup succeeded
Mar 18 07:08:15 netlog-e0 netlog syslog-ng[20695]: Log statistics .......
> Is this the same throughout your log file (e.g. all syslog-ng messages
> are off, while normal logs are OK?)
>
The above shows this as well. Here's more:
Mar 17 09:42:52 netlog-e0 sshd(pam_unix)[18977]: session opened for user
roger by (uid=0)
Mar 17 08:43:11 netlog-e0 netlog syslog-ng[18858]: Log statistics.....
Mar 17 09:43:50 netlog-e0 sshd(pam_unix)[19023]: session opened for user
fabric by (uid=0)
Mar 17 09:52:52 netlog-e0 sshd(pam_unix)[18892]: session closed for user
fabric
Mar 17 08:53:11 netlog-e0 netlog syslog-ng[18858]: Log statistics.....
Mar 17 09:59:07 netlog-e0 sshd(pam_unix)[19023]: session closed for user
fabric
Mar 17 09:03:11 netlog-e0 netlog syslog-ng[18858]: Log statistics.....
Mar 17 09:13:11 netlog-e0 netlog syslog-ng[18858]: Log statistics.....
> Are these logs received from a remote host, or they are both local?
> Could you please give more information about your environment?
>
99% of the messages are coming from remote sources. We have routers,
switches, firewalls, and nearly anything else that has syslog exporting
come to this server. The system itself is a RHEL3 server. It's tzdata
package is up to date.
> I've added your testcase to my unit test collection and it seems to
> detect the timezone offset properly:
>
> diff --git a/tests/unit/test_zone.c b/tests/unit/test_zone.c
> index 5f9a044..ef9a8ba 100644
> --- a/tests/unit/test_zone.c
> +++ b/tests/unit/test_zone.c
> @@ -158,6 +158,10 @@ main(int argc, char *argv[])
> testcase("NZ", 1111240799, 13*3600);
> /* Mar 20 02:00:00 2005 (NZT) +1200 */
> testcase("NZ", 1111240800, 12*3600);
> +
> + testcase("US/Central", 1269337645, -5*3600);
> + testcase("US/Central", 1266879600, -6*3600);
> +
>
> now = time(NULL);
>
>
> Are you sure syslog-ng's local timezone is properly set? Is syslog-ng
> running in a chroot? If it is, is the timezone in the chroot properly
> set?
>
>
contents of /etc/sysconfig/clock:
ZONE="US/Central"
UTC=true
ARC=false
We are not running a chroot environment.
--
Patrick A. Green
Systems Engineer
Northwestern University Information Technology
Network Transport
pgreen at northwestern.edu
847-467-5878 / Fax: 847-467-5690
More information about the syslog-ng
mailing list