Date: Fri, 22 Apr 2005 09:52:18 +1000 From: Andrew Reilly <andrew-freebsd@areilly.bpc-users.org> To: Joel <rees@ddcom.co.jp> Cc: freebsd-stable@freebsd.org Subject: Re: Misleading security message output Message-ID: <20050421235218.GA76511@gurney.reilly.home> In-Reply-To: <20050418103032.9618.REES@ddcom.co.jp> References: <200504170655.27864.krinklyfig@spymac.com> <20050417225347.GA9600@gurney.reilly.home> <20050418103032.9618.REES@ddcom.co.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 18, 2005 at 10:54:20AM +0900, Joel wrote: > The first question that comes to mind: do you really need logs from a > year back? Nope. Should I need to tweak the default config files to ensure that I dont get them? > Maybe it's because I'm such a newb, but I'm wondering which program has > what bug? Is it that the default configuration files for the login logs > doesn't put on age limit on the rotation? Is it that the log lines don't > conain a full 4-digit year in the timestamp? Or is it that the > logscraper doesn't know to check the age of a log file, or doesn't know > to work on the tail of the log? The bug is in the security logscraper script, because it presented a log entry from a year ago as something that happened yesterday. The proximate cause of the bug is that the log files don't contain a year as part of the date format. The easy work-around is to include timed rotation as part of the standard configuration so that the lack of a year in the logfile date format does not expose the bug in the script. There are two plausible "real fixes" for the bug: 1) use a backup+diff scheme to find "yesterday's log messgaes" -- this is what NetBSD does, or 2) change the syslog daemon to include the year in the logfile date stamp -- this is what daemontools' multilog does. Option 2 is likely to be difficult to roll into the standard because it would almost certainly break third-party logfile scrapers. Cheers, -- Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050421235218.GA76511>