Date: Thu, 13 Jun 2013 20:53:56 -0700 (PDT) From: David Schultz <das@freebsd.org> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/179546: syslog/newsyslog don't handle years sanely Message-ID: <201306140353.r5E3ru1Z084254@zim.MIT.EDU> Resent-Message-ID: <201306140400.r5E400Ew076810@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 179546 >Category: bin >Synopsis: syslog/newsyslog don't handle years sanely >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jun 14 04:00:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: David Schultz >Release: FreeBSD 10.0-CURRENT amd64 >Organization: >Environment: System: 10.0-CURRENT r250991M: Sun May 26 23:15:39 PDT 2013 >Description: The daily security run 800.loginfail reported the following login failures: Jun 12 23:30:52 zim sshd[79867]: Invalid user xxx from yyy Jun 12 23:30:52 zim sshd[79867]: input_userauth_request: invalid user xxx [preauth] Jun 12 23:30:52 zim sshd[79867]: Postponed keyboard-interactive for invalid user xxx from yyy port 34743 ssh2 [preauth] This came as a big surprise, because I haven't used machine yyy in about 6 months. But in fact, the warnings are from 2012; the script doesn't handle the situation where auth.log is rotated less often than once a year: -rw------- 1 root 0 87k Jun 13 20:26 /var/log/auth.log -rw------- 1 root 0 34k Mar 3 2012 /var/log/auth.log.0.bz2 -rw------- 1 root 0 8.7k Dec 21 2011 /var/log/auth.log.1.bz2 -rw------- 1 root 0 10k May 23 2011 /var/log/auth.log.2.bz2 -rw------- 1 root 0 9.8k Nov 1 2010 /var/log/auth.log.3.bz2 -rw------- 1 root 0 11k Sep 28 2009 /var/log/auth.log.4.bz2 -rw------- 1 root 0 19k Sep 28 2009 /var/log/auth.log.5.bz2 -rw------- 1 root 0 10k Mar 23 2009 /var/log/auth.log.6.bz2 The out-of-the-box configuration shouldn't have surprises like this. It looks like there was an attempt to fix the problem by configuring newsyslog to rotate the file every year: > grep auth /usr/src/head/etc/newsyslog.conf /var/log/auth.log 600 7 100 @0101T JC This fix is insufficent, though. newsyslog won't obey if the machine is not running between Dec 31 23:00 and Jan 1 01:00. >How-To-Repeat: >Fix: The cleanest fix is probably on the syslog side: either include the year in log messages, or find a way to make newsyslog rotate logs reliably at least once a year. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306140353.r5E3ru1Z084254>