Add option -Z to syslogd(8) to use ISO 8601 timestamps
Ben Woods
woodsb02 at gmail.com
Sun Apr 1 10:25:00 UTC 2018
On 1 April 2018 at 11:25, Julian Elischer <julian at freebsd.org> wrote:
> is there a matching change for syslog(3) to actually generate new
> timestamps?
>
> The syslog protocol is unique that either end can be responsible for the
> timestamp.
>
The approach the OpenBSD team has taken has been to remove all timestamping
from syslog(3):
"Do not include a timestamp in the syslog message. There is no need --
syslogd will fill it in immediately upon reception on the other side of
sendsyslog(2). Our libc only talks to our syslogd, which will fix the
timestamp before forwarding. syslog_r has done this for a long time
already.
ok tedu bluhm"
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/syslog.c.diff?r1=1.32&r2=1.33&f=h
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/syslog_r.c.diff?r1=1.9&r2=1.10&f=h
The FreeBSD syslog(3) code still adds a timestamp, so there is an option to
either remove this code from syslog(3) similar to OpenBSD, or update the
syslog(3) code to support either timestamp.
My testing shows that if syslogd(8) is not running at the time a message
comes in from syslog(3), the message is dropped (not buffered until syslogd
is once again running).
This means there would be no significant time delay issues causing
incorrect timestamps if syslogd(8) adds the timestamp instead of syslog(3).
https://svnweb.freebsd.org/base/head/lib/libc/gen/syslog.c?revision=326025&view=markup#l171
Note that when testing my patch with the logger(1) tool, which uses
syslog(3), I have found that the RFC3164 timestamp format applied by
syslog(3) is replaced with the RFC5424 timestamp format in syslogd(8), as
per the description below.
In the case of the new timestamp form you would have to strip off the
> incoming old form timestamp and replace it.
>
Indeed. This is handled by the changes in the parsemsg() function, which
effectively sets the -T option (RemoteAddDate = 1) if it detects the old
timestamp format when the -Z option has been set.
Note that my proposed implementation does not convert the old format to the
new format (and assume the current year), but instead simply strips the old
timestamp and applies a new one. This is as per OpenBSD's implementation.
Regards,
Ben
More information about the freebsd-hackers
mailing list