Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 583621

Summary: rsyslog 3.x has no longer old syslog timestamp by default
Product: Red Hat Enterprise Linux 5 Reporter: Peter Bieringer <pb>
Component: rsyslogAssignee: Tomas Heinrich <theinric>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.5CC: cww, erinn.looneytriggs, ksrot, mdavis, mpoole, plyons, pvrabec, ralston, sgrubb, tao, theinric
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The previous rsyslog release introduced a new format of the message timestamps. However, certain utilities such as logwatch may have been unable to parse this new format properly. To prevent this, the "$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat" directive has been added to the /etc/rsyslog.conf configuration file to ensure that the old format is used by default.
 Story Points: ---
Clone Of: 583607 Environment:
Last Closed: 2012-02-21 06:08:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 661148    

Description Peter Bieringer 2010-04-19 09:01:16 UTC 
Hi,

probably the distributed default config should include the workaround below not to break e.g. logwatch suddenly.


+++ This bug was initially created as a clone of Bug #583607 +++

Hi,

after upgrading systems from RHEL 5.4 to 5.5, logwatch reports are no longer catching entries of /var/log/secure and /var/log/messages, because rsyslog was updated to 3.x which now reports in the new timestamp without any adjustments.

Just note, that default config provided by Red Hat is also not changing the timestamp entry.

This results, that logwatch is now broken imho using default rsyslog configuration of 5.5

Just note that the RHEL 5.5 changelog does not mention any changes regarding rsyslog.

BTW: I'm happy that RHEL 5.5 ships rsyslog 3.x, but had not expect such imcompatibility without any notice.

+++ This bug was initially created as a clone of Bug #448789 +++

Logwatch parses the timestamps of the log files it processes.

The traditional Unix syslog timestamp looks like this:

May 28 14:14:46 HOSTNAME ...

The rsyslog package refers to this timestamp format as
"RSYSLOG_TraditionalFileFormat".  It has several glaring deficiencies: it
doesn't collate, it doesn't contain timezone information, and it has only
single-second precision.

rsyslog also supports a more modern timestamp format, called
"RSYSLOG_FileFormat", which is essentially the ISO8601 date/time format.  It
looks like this:

2008-05-28T14:14:46.316223-04:00 HOSTNAME ...

This timestamp format overcomes the deficiencies of the traditional timestamp
format.

However, logwatch does not understand this timestamp format; logwatch expects
all system logs to have the traditional timestamp format.

Logwatch should be enhanced (preferably by upstream) to understand the
RSYSLOG_FileFormat for timestamps, so that system administrators have the option
of using that format for system logs without breaking logwatch.

If I submitted an enhancement patch for logwatch to understand the
RSYSLOG_FileFormat, and the patch was reasonable, would you accept it?  Would
upstream?

--- Additional comment from varekova on 2008-05-29 09:14:52 EDT ---

Hello, thanks for your interest, the best solution is to discuss this problem on
logwatch development mailing list - logwatch-devel. The upstream
guys should be the persons who decide whether it is better to add this support
or not. Could you forward this question to the upstream list? If there is any
problem, please add here a comment.

--- Additional comment from pb on 2010-04-19 04:59:27 EDT ---

According to http://www.rsyslog.com/doc-v3compatibility.html the new timestamp was chosen by default since version 3.x now.

Workaround to get old timestamp:

add to first line of /etc/rsyslog.conf:

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
Comment 1 Peter Bieringer 2010-04-19 13:24:28 UTC 
Just note that rsyslog shipped with Fedora 12 has per default a proper timestamp config in /etc/rsyslog.conf
Comment 2 Peter Bieringer 2010-06-09 09:40:54 UTC 
Filed SR#2029498 for speed up this issue
Comment 3 Erinn Looney-Triggs 2010-09-24 18:50:38 UTC 
Filed sr#2062280
Comment 7 Jaromir Hradilek 2010-12-13 09:54:27 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The previous rsyslog release introduced a new format of the message timestamps. However, certain utilities such as logwatch may have been unable to parse this new format properly. To prevent this, the "$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat" directive has been added to the /etc/rsyslog.conf configuration file to ensure that the old format is used by default.
Comment 14 errata-xmlrpc 2012-02-21 06:08:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0228.html