From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 23:56:20 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BEF4106566B for ; Fri, 17 Feb 2012 23:56:20 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 397FD8FC0C for ; Fri, 17 Feb 2012 23:56:20 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id C303B678A9; Fri, 17 Feb 2012 15:56:19 -0800 (PST) Date: Fri, 17 Feb 2012 15:56:19 -0800 (PST) From: Roger Marquis To: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <4F3EE1C9.4030601@quip.cz> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20120217235620.4BEF4106566B@hub.freebsd.org> Cc: freebsd-security@freebsd.org, Sergey Kandaurov Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 23:56:20 -0000 >> The current syslog syntax timestamp has been reliable now for what, 25+ >> years? I don't personally see any measurable ROI from changing it. YMMV of >> course. > > It is similar to y2k problem and dates with YY format instead of YYYY - it > was fine for many years... Is it? If I recall Y2K had more to do with 2 digit year fields that should have been 4 digit. > But did you noticed, that almost everything else is already logging with year > in date? I don't personally recall a time when everything else wasn't logging the year, in one format or another. That's not to imply that syslogs shouldn't be distinguishable by year but the question seems to be where the year should be logged, A) on every line or B) in the archive file name. I suspect it was not common practice to leave logs on the server for more than a year when Allman originally wrote syslog, and I have not seen an environment where logs are left in /var/log for over a year. Personally, I would rather see FreeBSD stay backwards compatible and A) leave the syslog timestamp format alone instead opting for KIS by simply writing the year in the archive file name rather than wasting 5 bytes on every line of every syslog log file. YMMV. Roger