Rant on Syslogd

Syslogd really should either be modified or ditched for syslog-ng. As anyone who looks at logs knows, its crucial to have full, standard time stamps. This should include, HH:MM:SS:MS YYYY-MM-DD.Rfc3164 states :

5.1 Dates and Time

It has been found that some network administrators like to archive their syslog messages over long periods of time. It has been seen that some original syslog messages contain a more explicit time stamp in which a 2 character or 4 character year field immediately follows the space terminating the TIMESTAMP. This is not consistent with the original intent of the order and format of the fields. If implementers wish to contain a more specific date and time stamp within the transmitted message, it should be within the CONTENT field. Implementers may wish to utilize the ISO 8601 [7] date and time formats if they want to include more explicit date and time information. Additional methods to address this desire for long-term archiving have been proposed and some have been successfully implemented. One such method is that the network administrators may choose to modify the messages stored on their collectors. They may run a simple script to add the year, and any other information, to each stored record. Alternatively, the script may replace the stored time with a format more appropriate for the needs of the network administrators. Another alternative has been to insert a record into the file that contains the current year. By association then, all other records near that informative record should have been received in that same year. Neither of these however, addresses the issue of associating a correct timezone with each record.

IMHO, this is backwards. We shouldn’t require developers to put the year in the content field or have people post process logs to include the year.. Syslog should properly write out the year.

By Mark Cohen

Posted by


Join the Discussion