[syslog-ng] syslog-ng 3.3.3 default year is wrong
Balazs Scheidler
bazsi at balabit.hu
Wed Dec 21 13:45:46 CET 2011
On Wed, 2011-12-21 at 13:44 +0100, Balazs Scheidler wrote:
> On Fri, 2011-12-02 at 23:20 +0100, Gergely Nagy wrote:
> > Evan Rempel <erempel at uvic.ca> writes:
> >
> > > When parsing a source that has a month and day but no year, the S_YEAR macro does not default
> > > to R_YEAR. It seems to be defaulting to R_YEAR+1
> > >
> > > What is the intention when there is no year in the source?
> >
> > This sounds interesting. A quick look at the code didn't reveal anything
> > obviously wrong. I'll see what I can do about it, since reproduction
> > seems easy enough (and then it's just a little bit of gdb-magic away to
> > spot the error).
> >
> > Thanks for the report!
> >
>
> If there's no year in the incoming timestamp, syslog-ng applies a
> heuristics to determine the actual year. This heuristics assumes that
> the incoming message was generated quite close to the current system
> time.
>
> Here's the algorithm (quoting the source):
>
> /* detect if the message is coming from last year. If its
> * month is at least one larger than the current month. This
> * handles both clocks that are in the future, or in the
> * past:
> * in January we receive a message from December (past) => last year
> * in January we receive a message from February (future) => same year
> * in December we receive a message from January (future) => next year
> */
> if (tm.tm_mon > nowtm.tm_mon + 1)
> tm.tm_year--;
> if (tm.tm_mon < nowtm.tm_mon - 1)
> tm.tm_year++;
>
BTW: if you want to process historical data, please use a complete
timestamp that includes year information. syslog-ng is certainly capable
of doing that, but as far as I know rsyslog can do that too.
--
Bazsi
More information about the syslog-ng
mailing list