From owner-freebsd-security@FreeBSD.ORG  Fri Feb 17 19:48:51 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D76DE1065670
	for <freebsd-security@freebsd.org>;
	Fri, 17 Feb 2012 19:48:51 +0000 (UTC)
	(envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
	by mx1.freebsd.org (Postfix) with ESMTP id C23898FC2C
	for <freebsd-security@freebsd.org>;
	Fri, 17 Feb 2012 19:48:51 +0000 (UTC)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
	by mx5.roble.com (Postfix) with ESMTP id 40B56678A9;
	Fri, 17 Feb 2012 11:48:51 -0800 (PST)
Date: Fri, 17 Feb 2012 11:48:51 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: Sergey Kandaurov <pluknet@gmail.com>
In-Reply-To: <CAE-mSO+sa2Cu0aQksEXGyMnyns3=aAL8odmzQNMEJ77dpUAgmw@mail.gmail.com>
References: <20120217120034.201EB106574C@hub.freebsd.org>
	<20120217152400.261AC106564A@hub.freebsd.org>
	<CAE-mSO+sa2Cu0aQksEXGyMnyns3=aAL8odmzQNMEJ77dpUAgmw@mail.gmail.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Message-Id: <20120217194851.D76DE1065670@hub.freebsd.org>
Cc: freebsd-security@freebsd.org
Subject: Re: periodic security run output gives false positives after 1 year
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2012 19:48:51 -0000

On Fri, 17 Feb 2012, Sergey Kandaurov wrote:
>> Problem with that would be backwards compatibility, and it's not IMO
>> worth breaking everyone's syslog parsing scripts to fix an issue that
>> really isn't due to the date format as much as it is to log rotation.
>
> That is not a showstopper. Nothing prevents to merge both formats in one
> daemon and introduce a new syslogd option to choose the desired format.

That would be more of a Linux than BSD way of doing things i.e.,
deprecating the existing format without giving full consideration to the
effects on SA scripts and monitoring software, some of which is hardcoded
and difficult to change without breaking more than it fixes.  The current
syslog syntax timestamp has been reliable now for what, 25+ years?  I
don't personally see any measurable ROI from changing it.  YMMV of
course.

Roger Marquis