Date: Sun, 1 Apr 2018 18:24:57 +0800 From: Ben Woods <woodsb02@gmail.com> To: Julian Elischer <julian@freebsd.org> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Add option -Z to syslogd(8) to use ISO 8601 timestamps Message-ID: <CAOc73CDgEK8=QHypg_eLMCGsadR6sC=u8AF6nkEdOrG75KpsdA@mail.gmail.com> In-Reply-To: <4fd424ca-ff93-315c-fa87-fb9c738b9b50@freebsd.org> References: <CAOc73CCzOoiq9YVC5DJgODC7yF21LCxNXR7aNfKc2FemGOR2cA@mail.gmail.com> <4fd424ca-ff93-315c-fa87-fb9c738b9b50@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1 April 2018 at 11:25, Julian Elischer <julian@freebsd.org> wrote: > is there a matching change for syslog(3) to actually generate new > timestamps? > > The syslog protocol is unique that either end can be responsible for the > timestamp. > The approach the OpenBSD team has taken has been to remove all timestamping from syslog(3): "Do not include a timestamp in the syslog message. There is no need -- syslogd will fill it in immediately upon reception on the other side of sendsyslog(2). Our libc only talks to our syslogd, which will fix the timestamp before forwarding. syslog_r has done this for a long time already. ok tedu bluhm" https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/syslog.c.diff?r1=1.32&r2=1.33&f=h https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/syslog_r.c.diff?r1=1.9&r2=1.10&f=h The FreeBSD syslog(3) code still adds a timestamp, so there is an option to either remove this code from syslog(3) similar to OpenBSD, or update the syslog(3) code to support either timestamp. My testing shows that if syslogd(8) is not running at the time a message comes in from syslog(3), the message is dropped (not buffered until syslogd is once again running). This means there would be no significant time delay issues causing incorrect timestamps if syslogd(8) adds the timestamp instead of syslog(3). https://svnweb.freebsd.org/base/head/lib/libc/gen/syslog.c?revision=326025&view=markup#l171 Note that when testing my patch with the logger(1) tool, which uses syslog(3), I have found that the RFC3164 timestamp format applied by syslog(3) is replaced with the RFC5424 timestamp format in syslogd(8), as per the description below. In the case of the new timestamp form you would have to strip off the > incoming old form timestamp and replace it. > Indeed. This is handled by the changes in the parsemsg() function, which effectively sets the -T option (RemoteAddDate = 1) if it detects the old timestamp format when the -Z option has been set. Note that my proposed implementation does not convert the old format to the new format (and assume the current year), but instead simply strips the old timestamp and applies a new one. This is as per OpenBSD's implementation. Regards, Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOc73CDgEK8=QHypg_eLMCGsadR6sC=u8AF6nkEdOrG75KpsdA>