From owner-freebsd-stable@FreeBSD.ORG Sun Apr 17 13:55:30 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18DEF16A4CE for ; Sun, 17 Apr 2005 13:55:30 +0000 (GMT) Received: from smtp809.mail.sc5.yahoo.com (smtp809.mail.sc5.yahoo.com [66.163.168.188]) by mx1.FreeBSD.org (Postfix) with SMTP id A9A7743D2D for ; Sun, 17 Apr 2005 13:55:29 +0000 (GMT) (envelope-from krinklyfig@spymac.com) Received: from unknown (HELO smogmonster.com) (jtinnin@pacbell.net@64.173.27.15 with plain) by smtp809.mail.sc5.yahoo.com with SMTP; 17 Apr 2005 13:55:29 -0000 From: Joshua Tinnin To: freebsd-stable@freebsd.org Date: Sun, 17 Apr 2005 06:55:27 -0700 User-Agent: KMail/1.8 References: <20050414025949.GA94683@gurney.reilly.home> In-Reply-To: <20050414025949.GA94683@gurney.reilly.home> X-Face: "u-%.52Z_uQCP'Vdj{95/n*(sgAAm`F/p'b0zo%-DuBTdZ*qW!!/idDBRjkFfJD[Qe&>=?utf-8?q?=5F2=0A=09?=<}OGsEY~)n?NywZRi9xm-jH_VPg"8nTSzo:r8;U3oTQz|@z)|>%i+MRY2Y#>s~X`sV$&t"=?utf-8?q?=0A=09AkQ=5EU3rJIFCU=3F=5DcC=27F=26fY4=23Jf-=7D=3F7x?= MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200504170655.27864.krinklyfig@spymac.com> Subject: Re: Misleading security message output X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Apr 2005 13:55:30 -0000 On Wed 13 Apr 05 19:59, Andrew Reilly wrote: > I had an interesting experience, this morning. The nightly > security message from a CVS server machine that runs a version > of FreeBSD-4 had arrived, and it claimed that someone who hadn't > done any work for us for some considerable time had had three > failed login attempts, late that night. Curious. > > After much hunting around, and checking perimeter logs, it > turned out that nothing of the sort had happened. The security > log script had been fooled by the age of the messages.0.gz file, > which contained messages from more than a year ago. The search > pattern "$yesterday" doesn't contain a year, because log file > timestamps don't contain years. The log file was so old because > rotation is determined by size, and this machine simply doesn't > have much to log, despite being used daily. It never goes down, > and is basically completely stable. Well, you could modify /etc/newsyslog.conf, where it says: /var/log/messages 600 14 100 * J change it to: /var/log/messages 600 14 * @T00 J This assumes you want 14 message logs, rotated once a day at midnight. Any message logs over 14 days will be deleted. man newsyslog.conf > This could be avoided, perhaps, with a NetBSD-style backup/diff > mechanism, or (incompatibly) with daemontools/multilog-style > 64-bit time stamps in the log files. It can be worked-around > by forcing faster log-file rotations, now that I know about > the problem. I can't think of a really good widely-applicable > solution, using the existing framework, though. I'm not quite sure what you mean. Do you want a way to have the timestamp record the year as well, so that you can keep the default setting? - jt