[syslog-ng] [Bug 267] $YEAR on event in RFC 3164 format

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Sun Jan 19 13:49:51 CET 2014


https://bugzilla.balabit.com/show_bug.cgi?id=267





--- Comment #2 from Balazs Scheidler <bazsi at balabit.hu>  2014-01-19 13:49:50 ---
(In reply to comment #1)
> Hello,
> 
> I have found on syslog-format.c, from line 385, these codes:
> 
>           /* detect if the message is coming from last year. If its
>            * month is at least one larger than the current month. This
>            * handles both clocks that are in the future, or in the
>            * past:
>            *   in January we receive a message from December (past) => last year
>            *   in January we receive a message from February (future) => same year
>            *   in December we receive a message from January (future) => next year
>            */
>           if (tm.tm_mon > nowtm.tm_mon + 1)
>             tm.tm_year--;
>           if (tm.tm_mon < nowtm.tm_mon - 1)
>             tm.tm_year++;
> 
> 
> It seems that these codes is responsible of the strange situation;
> 
> But I don't understand why? Is there an RFC referring to this? 

no, it's an old heuristic to determine the information that is not there.

> 
> May be the best this code?
> if (tm.tm_mon > nowtm.tm_mon + 1) tm.tm_year--;
> 
> I think that if the date of the event is over the current date, this means that this is an event of the past year, not of the future.
> 
> May be the best to add a new parameter on syslog-ng.conf to configure this situation.
> 
> What do you think about?

I received similar reports and there's a preliminary patch here:

https://github.com/balabit/syslog-ng/commit/8105aea13eb52fcf53f99d6297e86bca5fae01ca

However I didn't have enough time to think about the proposed solution there, so I haven't integrated it either. 

I'd love to receive feedback on the proposed patch and if two people come to the same conclusion (the one who submitted the patch above and you), I'd be
willing
to merge the patch without further ado.

Thanks.


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the syslog-ng mailing list