Misleading security message output

Joshua Tinnin krinklyfig at spymac.com
Sun Apr 17 06:55:30 PDT 2005

On Wed 13 Apr 05 19:59, Andrew Reilly 
<andrew-freebsd at areilly.bpc-users.org> wrote:
> I had an interesting experience, this morning.  The nightly
> security message from a CVS server machine that runs a version
> of FreeBSD-4 had arrived, and it claimed that someone who hadn't
> done any work for us for some considerable time had had three
> failed login attempts, late that night.  Curious.
> After much hunting around, and checking perimeter logs, it
> turned out that nothing of the sort had happened.  The security
> log script had been fooled by the age of the messages.0.gz file,
> which contained messages from more than a year ago.  The search
> pattern "$yesterday" doesn't contain a year, because log file
> timestamps don't contain years.  The log file was so old because
> rotation is determined by size, and this machine simply doesn't
> have much to log, despite being used daily.  It never goes down,
> and is basically completely stable.

Well, you could modify /etc/newsyslog.conf, where it says:

/var/log/messages                       600  14    100  *     J

change it to:

/var/log/messages                       600  14    *    @T00  J

This assumes you want 14 message logs, rotated once a day at midnight. 
Any message logs over 14 days will be deleted.

man newsyslog.conf

> This could be avoided, perhaps, with a NetBSD-style backup/diff
> mechanism, or (incompatibly) with daemontools/multilog-style
> 64-bit time stamps in the log files.  It can be worked-around
> by forcing faster log-file rotations, now that I know about
> the problem.  I can't think of a really good widely-applicable
> solution, using the existing framework, though.

I'm not quite sure what you mean. Do you want a way to have the 
timestamp record the year as well, so that you can keep the default 

- jt

More information about the freebsd-stable mailing list