periodic security run output gives false positives after 1 year

Roger Marquis marquis at roble.com
Fri Feb 17 23:56:20 UTC 2012


>> The current syslog syntax timestamp has been reliable now for what, 25+
>> years? I don't personally see any measurable ROI from changing it. YMMV of
>> course.
>
> It is similar to y2k problem and dates with YY format instead of YYYY - it 
> was fine for many years...

Is it?  If I recall Y2K had more to do with 2 digit year fields that should
have been 4 digit.

> But did you noticed, that almost everything else is already logging with year 
> in date?

I don't personally recall a time when everything else wasn't logging the
year, in one format or another.  That's not to imply that syslogs
shouldn't be distinguishable by year but the question seems to be where
the year should be logged, A) on every line or B) in the archive file
name.

I suspect it was not common practice to leave logs on the server for more
than a year when Allman originally wrote syslog, and I have not seen an
environment where logs are left in /var/log for over a year.  Personally,
I would rather see FreeBSD stay backwards compatible and A) leave the
syslog timestamp format alone instead opting for KIS by simply writing
the year in the archive file name rather than wasting 5 bytes on every
line of every syslog log file.  YMMV.

Roger


More information about the freebsd-security mailing list