From owner-freebsd-stable@FreeBSD.ORG Thu Apr 21 23:52:21 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43B0D16A4CE for ; Thu, 21 Apr 2005 23:52:21 +0000 (GMT) Received: from gizmo02ps.bigpond.com (gizmo02ps.bigpond.com [144.140.71.12]) by mx1.FreeBSD.org (Postfix) with SMTP id 2DB6643D3F for ; Thu, 21 Apr 2005 23:52:20 +0000 (GMT) (envelope-from andrew@areilly.bpc-users.org) Received: (qmail 8262 invoked from network); 21 Apr 2005 23:52:18 -0000 Received: from unknown (HELO psmam02.bigpond.com) (144.135.25.72) by gizmo02ps.bigpond.com with SMTP; 21 Apr 2005 23:52:18 -0000 Received: from cpe-138-130-183-186.nsw.bigpond.net.au ([138.130.183.186]) by psmam02.bigpond.com(MAM REL_3_4_2a 80/58366514) with SMTP id 58366514; Fri, 22 Apr 2005 09:52:18 +1000 Received: (qmail 77628 invoked by uid 1000); 21 Apr 2005 23:52:18 -0000 Date: Fri, 22 Apr 2005 09:52:18 +1000 From: Andrew Reilly To: Joel Message-ID: <20050421235218.GA76511@gurney.reilly.home> References: <200504170655.27864.krinklyfig@spymac.com> <20050417225347.GA9600@gurney.reilly.home> <20050418103032.9618.REES@ddcom.co.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050418103032.9618.REES@ddcom.co.jp> User-Agent: Mutt/1.4.2.1i cc: freebsd-stable@freebsd.org Subject: Re: Misleading security message output X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2005 23:52:21 -0000 On Mon, Apr 18, 2005 at 10:54:20AM +0900, Joel wrote: > The first question that comes to mind: do you really need logs from a > year back? Nope. Should I need to tweak the default config files to ensure that I dont get them? > Maybe it's because I'm such a newb, but I'm wondering which program has > what bug? Is it that the default configuration files for the login logs > doesn't put on age limit on the rotation? Is it that the log lines don't > conain a full 4-digit year in the timestamp? Or is it that the > logscraper doesn't know to check the age of a log file, or doesn't know > to work on the tail of the log? The bug is in the security logscraper script, because it presented a log entry from a year ago as something that happened yesterday. The proximate cause of the bug is that the log files don't contain a year as part of the date format. The easy work-around is to include timed rotation as part of the standard configuration so that the lack of a year in the logfile date format does not expose the bug in the script. There are two plausible "real fixes" for the bug: 1) use a backup+diff scheme to find "yesterday's log messgaes" -- this is what NetBSD does, or 2) change the syslog daemon to include the year in the logfile date stamp -- this is what daemontools' multilog does. Option 2 is likely to be difficult to roll into the standard because it would almost certainly break third-party logfile scrapers. Cheers, -- Andrew