Description of problem: The issue is that two messages, "Received disconnect from" and "Connection closed by" message seems to use a different timezone than other messages inserted into secure. This appears to be an old issue. See: http://www.fedoraforum.org/forum/archive/index.php/t-106710.html but I could not find a matching bug for it. Version-Release number of selected component (if applicable): Kernel info: 2.6.38.7-30.fc15.x86_64 #1 SMP Fri May 27 05:15:53 UTC 2011 openssh-server-5.6p1-31.fc15.1.x86_64 syslog 3.2.4-3 (Not sure if this is even used) How reproducible: Every time. Steps to Reproduce: 1. Install clean Fedora 15 2. Enable sshd 3. Disable root for remote login 3. Go to a remote machine, ssh to server as root (or anything else) 4. Enter root/boguspassword 5. Note taht using ssh client I get "connection closed" instead of "Received disconnect" but the bad time stamp behavior is the same. 6. Examine /var/logs/secure Actual results: Below is a recent snippet of a break in attempt. The actual time was around 4 AM East Coast Time, but then the disconnects appear to be UTC: Jun 9 04:23:43 snape sshd[28460]: Failed password for root from 178.209.106.124 port 51759 ssh2 Jun 9 08:23:43 snape sshd[28461]: Received disconnect from 178.209.106.124: 11: Bye Bye Jun 9 04:23:44 snape sshd[28463]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.209.106. 124 user=root Jun 9 04:23:46 snape sshd[28463]: Failed password for root from 178.209.106.124 port 52455 ssh2 Jun 9 08:23:46 snape sshd[28464]: Received disconnect from 178.209.106.124: 11: Bye Bye Jun 9 04:23:47 snape sshd[28466]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.209.106. 124 user=root Jun 9 04:23:49 snape sshd[28466]: Failed password for root from 178.209.106.124 port 53279 ssh2 Jun 9 08:23:50 snape sshd[28467]: Received disconnect from 178.209.106.124: 11: Bye Bye Jun 9 04:23:51 snape sshd[28469]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.209.106. 124 user=root Expected results: All entries should be chronological and in same time zone. Additional info:
could you please append the output of systemctl status syslog-ng.service Thanks.
syslog-ng.service Loaded: error Active: inactive (dead)
ok, reading this, I assume, syslog-ng isn't running. You may verify it by issuing systemctl rsyslog.service. (I guess, it's running). To your problem: I think, there is a misconfiguration or misbehaviour in sshd. I see the same problem, using syslog-ng. Reassigning this bug to openssh component.
Actually this should be handled correctly in rsyslog and I think it is a regression in it. See bug 231326 where the same problem was fixed in the old sysklogd package.
Basically when the syslog daemon receives a message from the local syslog socket it should discard the timestamp and use its own one.
OK, thank you for the info. I'll contact syslog-ng upstream. Seems to happen there, too.
There is an option for syslog-ng to keep incoming messages in sync with server time zone: http://www.balabit.com/wiki/syslog-ng-faq-timestamp-sync
OK, but what about rsyslog which is still the default system logging daemon? Note this bug is assigned to rsyslog.
Oops, I'm sorry. You're right.
*** Bug 738364 has been marked as a duplicate of this bug. ***