Why does the syslog timestamp not include a year?












7














I am planning to store some of my log messages for more than a year, but the syslog timestamp description from RFC3164 does not include a year in the timestamp portion of a log entry. An example timestamp that I found in my CentOS log messages is Mar 16 07:46:24.



RFC5424 is supposed to make RFC3164 obsolete, but it seems very common across operating systems to use a mmm dd date in logs. RFC5424 is six years old, so I am surprised it is not standard. Why wasn't a year included in RFC3164? Are logs meant to be very temporary? What is the reason for not including a year in logs today?






date syslog







share|improve this question
























  • From a practical point of view, if you rotate logfiles, additional information is available from the filename or file metadata of the rotated file.
    – Ulrich Schwarz
    Mar 16 '15 at 17:54










  • will the log file's creation date not help?
    – Milind Dumbare
    Mar 16 '15 at 17:59






  • 4




    I suspect "compatibility with 35 years' worth of BSD-style syslog logs" is the reason, but have no documented proof. When you eventually switch to systemd (resistance is futile), you can use journalctl's -o short-iso option to get real ISO 8601 timestamps.
    – Mark Plotnick
    Mar 16 '15 at 18:08












  • @MilindDumbare alas, the log file's creation date is not reliable. Log files may be copied prior to analysis. Also, syslog allows messages to be moved from machine-to-machine, so the creation date on the machine where the syslog messages are collected may have nothing to do with where they were sent. They may even be collected in a database, and not in a file.
    – vy32
    Dec 20 '18 at 21:41










  • Anyone looking for a reference can certainly use @MarkPlotnick as a reference. He's been around a while, too... See: books.google.com/…
    – vy32
    Dec 20 '18 at 21:43
















7














I am planning to store some of my log messages for more than a year, but the syslog timestamp description from RFC3164 does not include a year in the timestamp portion of a log entry. An example timestamp that I found in my CentOS log messages is Mar 16 07:46:24.



RFC5424 is supposed to make RFC3164 obsolete, but it seems very common across operating systems to use a mmm dd date in logs. RFC5424 is six years old, so I am surprised it is not standard. Why wasn't a year included in RFC3164? Are logs meant to be very temporary? What is the reason for not including a year in logs today?






date syslog







share|improve this question
























  • From a practical point of view, if you rotate logfiles, additional information is available from the filename or file metadata of the rotated file.
    – Ulrich Schwarz
    Mar 16 '15 at 17:54










  • will the log file's creation date not help?
    – Milind Dumbare
    Mar 16 '15 at 17:59






  • 4




    I suspect "compatibility with 35 years' worth of BSD-style syslog logs" is the reason, but have no documented proof. When you eventually switch to systemd (resistance is futile), you can use journalctl's -o short-iso option to get real ISO 8601 timestamps.
    – Mark Plotnick
    Mar 16 '15 at 18:08












  • @MilindDumbare alas, the log file's creation date is not reliable. Log files may be copied prior to analysis. Also, syslog allows messages to be moved from machine-to-machine, so the creation date on the machine where the syslog messages are collected may have nothing to do with where they were sent. They may even be collected in a database, and not in a file.
    – vy32
    Dec 20 '18 at 21:41










  • Anyone looking for a reference can certainly use @MarkPlotnick as a reference. He's been around a while, too... See: books.google.com/…
    – vy32
    Dec 20 '18 at 21:43














7












7








7


3





I am planning to store some of my log messages for more than a year, but the syslog timestamp description from RFC3164 does not include a year in the timestamp portion of a log entry. An example timestamp that I found in my CentOS log messages is Mar 16 07:46:24.



RFC5424 is supposed to make RFC3164 obsolete, but it seems very common across operating systems to use a mmm dd date in logs. RFC5424 is six years old, so I am surprised it is not standard. Why wasn't a year included in RFC3164? Are logs meant to be very temporary? What is the reason for not including a year in logs today?






date syslog







share|improve this question















I am planning to store some of my log messages for more than a year, but the syslog timestamp description from RFC3164 does not include a year in the timestamp portion of a log entry. An example timestamp that I found in my CentOS log messages is Mar 16 07:46:24.



RFC5424 is supposed to make RFC3164 obsolete, but it seems very common across operating systems to use a mmm dd date in logs. RFC5424 is six years old, so I am surprised it is not standard. Why wasn't a year included in RFC3164? Are logs meant to be very temporary? What is the reason for not including a year in logs today?






date syslog




date syslog






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 16 '15 at 22:50









Gilles

529k12810601585




529k12810601585










asked Mar 16 '15 at 17:34









Sean Fahey

1365




1365












  • From a practical point of view, if you rotate logfiles, additional information is available from the filename or file metadata of the rotated file.
    – Ulrich Schwarz
    Mar 16 '15 at 17:54










  • will the log file's creation date not help?
    – Milind Dumbare
    Mar 16 '15 at 17:59






  • 4




    I suspect "compatibility with 35 years' worth of BSD-style syslog logs" is the reason, but have no documented proof. When you eventually switch to systemd (resistance is futile), you can use journalctl's -o short-iso option to get real ISO 8601 timestamps.
    – Mark Plotnick
    Mar 16 '15 at 18:08












  • @MilindDumbare alas, the log file's creation date is not reliable. Log files may be copied prior to analysis. Also, syslog allows messages to be moved from machine-to-machine, so the creation date on the machine where the syslog messages are collected may have nothing to do with where they were sent. They may even be collected in a database, and not in a file.
    – vy32
    Dec 20 '18 at 21:41










  • Anyone looking for a reference can certainly use @MarkPlotnick as a reference. He's been around a while, too... See: books.google.com/…
    – vy32
    Dec 20 '18 at 21:43


















  • From a practical point of view, if you rotate logfiles, additional information is available from the filename or file metadata of the rotated file.
    – Ulrich Schwarz
    Mar 16 '15 at 17:54










  • will the log file's creation date not help?
    – Milind Dumbare
    Mar 16 '15 at 17:59






  • 4




    I suspect "compatibility with 35 years' worth of BSD-style syslog logs" is the reason, but have no documented proof. When you eventually switch to systemd (resistance is futile), you can use journalctl's -o short-iso option to get real ISO 8601 timestamps.
    – Mark Plotnick
    Mar 16 '15 at 18:08












  • @MilindDumbare alas, the log file's creation date is not reliable. Log files may be copied prior to analysis. Also, syslog allows messages to be moved from machine-to-machine, so the creation date on the machine where the syslog messages are collected may have nothing to do with where they were sent. They may even be collected in a database, and not in a file.
    – vy32
    Dec 20 '18 at 21:41










  • Anyone looking for a reference can certainly use @MarkPlotnick as a reference. He's been around a while, too... See: books.google.com/…
    – vy32
    Dec 20 '18 at 21:43
















From a practical point of view, if you rotate logfiles, additional information is available from the filename or file metadata of the rotated file.
– Ulrich Schwarz
Mar 16 '15 at 17:54




From a practical point of view, if you rotate logfiles, additional information is available from the filename or file metadata of the rotated file.
– Ulrich Schwarz
Mar 16 '15 at 17:54












will the log file's creation date not help?
– Milind Dumbare
Mar 16 '15 at 17:59




will the log file's creation date not help?
– Milind Dumbare
Mar 16 '15 at 17:59




4




4




I suspect "compatibility with 35 years' worth of BSD-style syslog logs" is the reason, but have no documented proof. When you eventually switch to systemd (resistance is futile), you can use journalctl's -o short-iso option to get real ISO 8601 timestamps.
– Mark Plotnick
Mar 16 '15 at 18:08






I suspect "compatibility with 35 years' worth of BSD-style syslog logs" is the reason, but have no documented proof. When you eventually switch to systemd (resistance is futile), you can use journalctl's -o short-iso option to get real ISO 8601 timestamps.
– Mark Plotnick
Mar 16 '15 at 18:08














@MilindDumbare alas, the log file's creation date is not reliable. Log files may be copied prior to analysis. Also, syslog allows messages to be moved from machine-to-machine, so the creation date on the machine where the syslog messages are collected may have nothing to do with where they were sent. They may even be collected in a database, and not in a file.
– vy32
Dec 20 '18 at 21:41




@MilindDumbare alas, the log file's creation date is not reliable. Log files may be copied prior to analysis. Also, syslog allows messages to be moved from machine-to-machine, so the creation date on the machine where the syslog messages are collected may have nothing to do with where they were sent. They may even be collected in a database, and not in a file.
– vy32
Dec 20 '18 at 21:41












Anyone looking for a reference can certainly use @MarkPlotnick as a reference. He's been around a while, too... See: books.google.com/…
– vy32
Dec 20 '18 at 21:43




Anyone looking for a reference can certainly use @MarkPlotnick as a reference. He's been around a while, too... See: books.google.com/…
– vy32
Dec 20 '18 at 21:43










2 Answers
2






active

oldest

votes


















4














If you would like to add custom timestamps to your syslog output, it's perhaps best to use syslog-ng.



According to this post you could use ts_format() to specify the year in syslog-ng.



According to the syslog-ng.conf(5) man page:




The syslog-ng application has a number of global options governing DNS
usage, the timestamp format used, and other general points. Each
option may have parameters, similarly to driver specifications. To set
global options, add an option statement to the syslog-ng configuration
file using the following syntax:



options { option1(params); option2(params); ... };







share|improve this answer































    0














    It doesn't include the year because the syslog format dates to the 1980s and programmers were less careful back then. Most log files were written for humans to read, not to be automatically parsed, and everybody knew what year it was.






    share|improve this answer





















    • Do you have a reference for that, with a more specific date than "the 1980s"? (Section 5.1 of RFC3164 would be a good place to start.) As it stands, this answer is quite vague and looks like a guess or opinion.
      – JigglyNaga
      Dec 20 '18 at 17:31










    • Well, I started using BSD 4.2 Unix in 1984. Syslog appeared in BSD 4.2 and that's when the decision was made to put in the month and day but not the year. (webcache.googleusercontent.com/…)
      – vy32
      Dec 20 '18 at 19:38












    • See comment above about Mark Poltnick.
      – vy32
      Dec 20 '18 at 21:44











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f190541%2fwhy-does-the-syslog-timestamp-not-include-a-year%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    4














    If you would like to add custom timestamps to your syslog output, it's perhaps best to use syslog-ng.



    According to this post you could use ts_format() to specify the year in syslog-ng.



    According to the syslog-ng.conf(5) man page:




    The syslog-ng application has a number of global options governing DNS
    usage, the timestamp format used, and other general points. Each
    option may have parameters, similarly to driver specifications. To set
    global options, add an option statement to the syslog-ng configuration
    file using the following syntax:



    options { option1(params); option2(params); ... };







    share|improve this answer




























      4














      If you would like to add custom timestamps to your syslog output, it's perhaps best to use syslog-ng.



      According to this post you could use ts_format() to specify the year in syslog-ng.



      According to the syslog-ng.conf(5) man page:




      The syslog-ng application has a number of global options governing DNS
      usage, the timestamp format used, and other general points. Each
      option may have parameters, similarly to driver specifications. To set
      global options, add an option statement to the syslog-ng configuration
      file using the following syntax:



      options { option1(params); option2(params); ... };







      share|improve this answer


























        4












        4








        4






        If you would like to add custom timestamps to your syslog output, it's perhaps best to use syslog-ng.



        According to this post you could use ts_format() to specify the year in syslog-ng.



        According to the syslog-ng.conf(5) man page:




        The syslog-ng application has a number of global options governing DNS
        usage, the timestamp format used, and other general points. Each
        option may have parameters, similarly to driver specifications. To set
        global options, add an option statement to the syslog-ng configuration
        file using the following syntax:



        options { option1(params); option2(params); ... };







        share|improve this answer














        If you would like to add custom timestamps to your syslog output, it's perhaps best to use syslog-ng.



        According to this post you could use ts_format() to specify the year in syslog-ng.



        According to the syslog-ng.conf(5) man page:




        The syslog-ng application has a number of global options governing DNS
        usage, the timestamp format used, and other general points. Each
        option may have parameters, similarly to driver specifications. To set
        global options, add an option statement to the syslog-ng configuration
        file using the following syntax:



        options { option1(params); option2(params); ... };








        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited May 23 '17 at 12:39









        Community

        1




        1










        answered Oct 7 '15 at 16:17









        AppAraat

        88119




        88119

























            0














            It doesn't include the year because the syslog format dates to the 1980s and programmers were less careful back then. Most log files were written for humans to read, not to be automatically parsed, and everybody knew what year it was.






            share|improve this answer





















            • Do you have a reference for that, with a more specific date than "the 1980s"? (Section 5.1 of RFC3164 would be a good place to start.) As it stands, this answer is quite vague and looks like a guess or opinion.
              – JigglyNaga
              Dec 20 '18 at 17:31










            • Well, I started using BSD 4.2 Unix in 1984. Syslog appeared in BSD 4.2 and that's when the decision was made to put in the month and day but not the year. (webcache.googleusercontent.com/…)
              – vy32
              Dec 20 '18 at 19:38












            • See comment above about Mark Poltnick.
              – vy32
              Dec 20 '18 at 21:44
















            0














            It doesn't include the year because the syslog format dates to the 1980s and programmers were less careful back then. Most log files were written for humans to read, not to be automatically parsed, and everybody knew what year it was.






            share|improve this answer





















            • Do you have a reference for that, with a more specific date than "the 1980s"? (Section 5.1 of RFC3164 would be a good place to start.) As it stands, this answer is quite vague and looks like a guess or opinion.
              – JigglyNaga
              Dec 20 '18 at 17:31










            • Well, I started using BSD 4.2 Unix in 1984. Syslog appeared in BSD 4.2 and that's when the decision was made to put in the month and day but not the year. (webcache.googleusercontent.com/…)
              – vy32
              Dec 20 '18 at 19:38












            • See comment above about Mark Poltnick.
              – vy32
              Dec 20 '18 at 21:44














            0












            0








            0






            It doesn't include the year because the syslog format dates to the 1980s and programmers were less careful back then. Most log files were written for humans to read, not to be automatically parsed, and everybody knew what year it was.






            share|improve this answer












            It doesn't include the year because the syslog format dates to the 1980s and programmers were less careful back then. Most log files were written for humans to read, not to be automatically parsed, and everybody knew what year it was.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Dec 20 '18 at 16:52









            vy32

            1033




            1033












            • Do you have a reference for that, with a more specific date than "the 1980s"? (Section 5.1 of RFC3164 would be a good place to start.) As it stands, this answer is quite vague and looks like a guess or opinion.
              – JigglyNaga
              Dec 20 '18 at 17:31










            • Well, I started using BSD 4.2 Unix in 1984. Syslog appeared in BSD 4.2 and that's when the decision was made to put in the month and day but not the year. (webcache.googleusercontent.com/…)
              – vy32
              Dec 20 '18 at 19:38












            • See comment above about Mark Poltnick.
              – vy32
              Dec 20 '18 at 21:44


















            • Do you have a reference for that, with a more specific date than "the 1980s"? (Section 5.1 of RFC3164 would be a good place to start.) As it stands, this answer is quite vague and looks like a guess or opinion.
              – JigglyNaga
              Dec 20 '18 at 17:31










            • Well, I started using BSD 4.2 Unix in 1984. Syslog appeared in BSD 4.2 and that's when the decision was made to put in the month and day but not the year. (webcache.googleusercontent.com/…)
              – vy32
              Dec 20 '18 at 19:38












            • See comment above about Mark Poltnick.
              – vy32
              Dec 20 '18 at 21:44
















            Do you have a reference for that, with a more specific date than "the 1980s"? (Section 5.1 of RFC3164 would be a good place to start.) As it stands, this answer is quite vague and looks like a guess or opinion.
            – JigglyNaga
            Dec 20 '18 at 17:31




            Do you have a reference for that, with a more specific date than "the 1980s"? (Section 5.1 of RFC3164 would be a good place to start.) As it stands, this answer is quite vague and looks like a guess or opinion.
            – JigglyNaga
            Dec 20 '18 at 17:31












            Well, I started using BSD 4.2 Unix in 1984. Syslog appeared in BSD 4.2 and that's when the decision was made to put in the month and day but not the year. (webcache.googleusercontent.com/…)
            – vy32
            Dec 20 '18 at 19:38






            Well, I started using BSD 4.2 Unix in 1984. Syslog appeared in BSD 4.2 and that's when the decision was made to put in the month and day but not the year. (webcache.googleusercontent.com/…)
            – vy32
            Dec 20 '18 at 19:38














            See comment above about Mark Poltnick.
            – vy32
            Dec 20 '18 at 21:44




            See comment above about Mark Poltnick.
            – vy32
            Dec 20 '18 at 21:44


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f190541%2fwhy-does-the-syslog-timestamp-not-include-a-year%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Morgemoulin

            Image
            Morgemoulin — miejscowość i gmina — Państwo   Francja Region Grand Est Departament Moza Okręg Verdun Kod INSEE 55357 Powierzchnia 6,82 km² Populacja  (1990) • liczba ludności 75 • gęstość 11 os./km² Kod pocztowy 55400 Położenie na mapie Francji Morgemoulin 49°14′N   5°35′E / 49,233333   5,583333 Portal Francja Morgemoulin – miejscowość i gmina we Francji, w regionie Grand Est, w departamencie Moza. Według danych na rok 1990 gminę zamieszkiwało 75 osób, a gęstość zaludnienia wynosiła 11 osób/km² (wśród 2335 gmin Lotaryngii Morgemoulin plasuje się na 970. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 848.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Verdun Abaucourt-Hautecourt • Aincreville • Ambly-sur-Meuse • Amel-sur-l'Étang • Ancemont • Arrancy-sur-Crusne • Aubréville • Autré...
            Read more

            Scott Moir

            Image
            Scott Moir Tessa Virtue i Scott Moir w 2016 r. Reprezentacja   Kanada Data i miejsce urodzenia 2 września 1987 London Wzrost 180 cm Konkurencja Pary taneczne Partner sportowy Tessa Virtue Trener Marie-France Dubreuil, Patrice Lauzon, Romain Haguenauer Poprzednio: Marina Zujewa, Oleg Epstein, Igor Szpilband, Johnny Johns, Carol Moir, Paul MacIntosh, Suzanne Killing Klub Montreal International School of Skating Poprzednio: Arctic Edge FSC Ilderton Skating Club Lokalizacja treningowa Montreal Poprzednio: Canton Kitchener Rekordy życiowe ISU przed sezonem 2018/2019 Nota łączna 206,07 Igrzyska Olimpijskie 2018 Taniec krótki 83,67 Igrzyska Olimpijskie 2018 Taniec dowolny 122,40 Igrzyska Olimpijskie 2018 Dorobek medalowy Reprezentacja   Kanada Igrzyska olimpijskie Złoto Vancouver 2010 pary taneczne Złoto Pjongczang 2018 pary taneczne Złoto Pjongczang 2018 drużynowo Srebro S...
            Read more

            Souastre

            Image
            Souastre — miejscowość i gmina — Herb Państwo   Francja Region Hauts-de-France Departament Pas-de-Calais Okręg Arras Kod INSEE 62800 Powierzchnia 7,18 km² Populacja  (1990) • liczba ludności 352 • gęstość 49 os./km² Kod pocztowy 62111 Położenie na mapie Francji Souastre 50°09′N   2°34′E / 50,150000   2,566667 Portal Francja Souastre – miejscowość i gmina we Francji, w regionie Hauts-de-France, w departamencie Pas-de-Calais. Według danych na rok 1990 gminę zamieszkiwały 352 osoby, a gęstość zaludnienia wynosiła 49 osób/km² (wśród 1549 gmin regionu Nord-Pas-de-Calais Souastre plasuje się na 887. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 507.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Arras Ablain-Saint-Nazaire Ablainzevelle Acheville Achicourt Achiet-le-Grand Achiet-le-Pe...
            Read more