[syslog-ng] syslog-ng 3.3.3 default year is wrong
Balazs Scheidler
bazsi at balabit.hu
Wed Dec 21 13:44:55 CET 2011
On Fri, 2011-12-02 at 23:20 +0100, Gergely Nagy wrote:
> Evan Rempel <erempel at uvic.ca> writes:
>
> > When parsing a source that has a month and day but no year, the S_YEAR macro does not default
> > to R_YEAR. It seems to be defaulting to R_YEAR+1
> >
> > What is the intention when there is no year in the source?
>
> This sounds interesting. A quick look at the code didn't reveal anything
> obviously wrong. I'll see what I can do about it, since reproduction
> seems easy enough (and then it's just a little bit of gdb-magic away to
> spot the error).
>
> Thanks for the report!
>
If there's no year in the incoming timestamp, syslog-ng applies a
heuristics to determine the actual year. This heuristics assumes that
the incoming message was generated quite close to the current system
time.
Here's the algorithm (quoting the source):
/* detect if the message is coming from last year. If its
* month is at least one larger than the current month. This
* handles both clocks that are in the future, or in the
* past:
* in January we receive a message from December (past) => last year
* in January we receive a message from February (future) => same year
* in December we receive a message from January (future) => next year
*/
if (tm.tm_mon > nowtm.tm_mon + 1)
tm.tm_year--;
if (tm.tm_mon < nowtm.tm_mon - 1)
tm.tm_year++;
--
Bazsi
More information about the syslog-ng
mailing list