[Snort-users] [Slightly OT]: what syslog daemon actually ignores the client timestamp?

Jason Haar Jason.Haar at ...294...
Thu Jun 27 17:08:04 EDT 2002


I can't believe this.

As we have sites throughout the world, I am moving our central syslog server
over to UTC. I *expected* that to mean that the logfile entries created by
syslog would all be in UTC too - but it doesn't!!!

A sniffer has shown me the truth. Most "modern" Unix syslog clients (like
Linux) don't timezone their UDP syslog records - so the central syslog
server puts its current timestamp in - which is fine. However, other syslog
clients (such as HP-UX 10 and NTSyslog) do timestamp their records - and the
central syslog server believes them!

Not only do I now see how grossly out of sync some of our boxes clocks are,
but the local boxes are 12 hours out!!! They're in NZST and the central
server is UTC.

This can't be right. However, both sysklogd and syslog-ng have this problem
- they don't ignore timestamps. syslog-ng has a "use_time_recvd" option that
sounds like it should do the job - but apparently that only affects file
creation macros...

Is there a syslog server that "does this right"? Why has no-one else
noticed? :-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list