Misleading security message output
krinklyfig at spymac.com
Sun Apr 17 06:55:30 PDT 2005
On Wed 13 Apr 05 19:59, Andrew Reilly
<andrew-freebsd at areilly.bpc-users.org> wrote:
> I had an interesting experience, this morning. The nightly
> security message from a CVS server machine that runs a version
> of FreeBSD-4 had arrived, and it claimed that someone who hadn't
> done any work for us for some considerable time had had three
> failed login attempts, late that night. Curious.
> After much hunting around, and checking perimeter logs, it
> turned out that nothing of the sort had happened. The security
> log script had been fooled by the age of the messages.0.gz file,
> which contained messages from more than a year ago. The search
> pattern "$yesterday" doesn't contain a year, because log file
> timestamps don't contain years. The log file was so old because
> rotation is determined by size, and this machine simply doesn't
> have much to log, despite being used daily. It never goes down,
> and is basically completely stable.
Well, you could modify /etc/newsyslog.conf, where it says:
/var/log/messages 600 14 100 * J
change it to:
/var/log/messages 600 14 * @T00 J
This assumes you want 14 message logs, rotated once a day at midnight.
Any message logs over 14 days will be deleted.
> This could be avoided, perhaps, with a NetBSD-style backup/diff
> mechanism, or (incompatibly) with daemontools/multilog-style
> 64-bit time stamps in the log files. It can be worked-around
> by forcing faster log-file rotations, now that I know about
> the problem. I can't think of a really good widely-applicable
> solution, using the existing framework, though.
I'm not quite sure what you mean. Do you want a way to have the
timestamp record the year as well, so that you can keep the default
More information about the freebsd-stable