Date: Sun, 17 Apr 2005 06:55:27 -0700 From: Joshua Tinnin <krinklyfig@spymac.com> To: freebsd-stable@freebsd.org Subject: Re: Misleading security message output Message-ID: <200504170655.27864.krinklyfig@spymac.com> In-Reply-To: <20050414025949.GA94683@gurney.reilly.home> References: <20050414025949.GA94683@gurney.reilly.home>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed 13 Apr 05 19:59, Andrew Reilly <andrew-freebsd@areilly.bpc-users.org> wrote: > I had an interesting experience, this morning. The nightly > security message from a CVS server machine that runs a version > of FreeBSD-4 had arrived, and it claimed that someone who hadn't > done any work for us for some considerable time had had three > failed login attempts, late that night. Curious. > > After much hunting around, and checking perimeter logs, it > turned out that nothing of the sort had happened. The security > log script had been fooled by the age of the messages.0.gz file, > which contained messages from more than a year ago. The search > pattern "$yesterday" doesn't contain a year, because log file > timestamps don't contain years. The log file was so old because > rotation is determined by size, and this machine simply doesn't > have much to log, despite being used daily. It never goes down, > and is basically completely stable. Well, you could modify /etc/newsyslog.conf, where it says: /var/log/messages 600 14 100 * J change it to: /var/log/messages 600 14 * @T00 J This assumes you want 14 message logs, rotated once a day at midnight. Any message logs over 14 days will be deleted. man newsyslog.conf > This could be avoided, perhaps, with a NetBSD-style backup/diff > mechanism, or (incompatibly) with daemontools/multilog-style > 64-bit time stamps in the log files. It can be worked-around > by forcing faster log-file rotations, now that I know about > the problem. I can't think of a really good widely-applicable > solution, using the existing framework, though. I'm not quite sure what you mean. Do you want a way to have the timestamp record the year as well, so that you can keep the default setting? - jt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504170655.27864.krinklyfig>