Date: Thu, 6 Jul 2006 15:20:44 GMT From: Anton Korotin <korotin@ripn.net> To: freebsd-gnats-submit@FreeBSD.org Subject: conf/99844: incorrect default newsyslog.conf settings Message-ID: <200607061520.k66FKivP077590@www.freebsd.org> Resent-Message-ID: <200607061530.k66FUGTh096796@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 99844 >Category: conf >Synopsis: incorrect default newsyslog.conf settings >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Jul 06 15:30:16 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Anton Korotin >Release: FreeBSD 6.1-RELEASE i386 >Organization: >Environment: FreeBSD delta2.ripn.net 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 7 04:42:56 UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP i386 >Description: The problem is a combination of two facts: 1) According to default newsyslog.conf settings some log files are rotated only by size, on reaching 100K size limit. 2) syslogd has hard-coded format for writing date into log files. Year is not included and hence can't be written into logs. The problem appears when the log file grows slower then 100K per year. In this case it becomes hard (or even impossible) to distinguish records created on the same day but different years. One visible effect is 'false positives' of /etc/periodic/security/800.loginfail script, which analyses /var/log/auth.log file and may report about events happened one or more years ago while it's expected to report only 'yesterday' login failures as it's result is included in daily security reports. >How-To-Repeat: >Fix: Variants are: a) to teach syslogd writing date in log files with year value b) rotate log files at least once a year despite of their sizes >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607061520.k66FKivP077590>