Re: Future timestamps in /var/log/secure

[gordon b slater <gordslater () ieee org>]

On Fri, 2010-02-26 at 11:29 -0700, Brielle Bruns wrote:

> Isn't the timestamps inserted by syslog rather then the reporting 
> program itself?
that's my understanding also (clarification: syslogs of your server have
timestamps of your syslegsserver's time, IMHO)
eg: on my Debain systems I don't split the logging to /var/log/secure, I
can usually handle a large log OK, but it's easy enough to get the
authpriv* stuff to log to /v/l/secure if needed. So, my point is,
syslogd.conf tells syslogd where to put them, and it stamps the time for
each entry.

> What syslog do you use - classic (ie: sysklogd) or a modern one like 
> rsyslog?  It almost looks like the timezone got changed from local to 
> GMT or similar, then swapped back (as odd as it may sound).


On a cautionary note, I've seen tz-change shenanigans to mask
unauthorised access before, so might be a good time to have quick poke
around with a tinfoil hat on, just in case. Don't have a  heart attack
tough, not yet :)

Gord

--
this .sig space reserved by ITU-T pending clarification of intentions