Future timestamps in /var/log/secure

[LarrySheldon at cox.net (Larry Sheldon)]

On 2/26/2010 12:29 PM, Brielle Bruns wrote:
> On 2/26/10 11:20 AM, Wade Peacock wrote:
>> I found a while ago in /var/log/secure that for an invalid ssh login
>> attempt the ssh Bye Bye line is in the future. I have searched the web
>> and can not find a reason for the future time in the log.
>>
>> Here is a sample. Repeated lines are shown once in first part
>>
>>
>> Feb 26 17:50:38 mx sshd[19115]: Received disconnect from
>> 210.212.145.152: 11: Bye Bye
>> Feb 26 17:50:38 mx sshd[19118]: Received disconnect from
>> 210.212.145.152: 11: Bye Bye
>> Feb 26 09:52:39 mx proftpd[17297]: mx.example.com
>> (208.xxx.xxx.xxx[208.xxx.xxx.xxx]) - FTP no transfer timeout, disconnected
>>
>> Can anyone explain the future time stamp on the Bye Bye lines?
>>
>> OS is Centos 5.4, FYI
>>
> 
> 
> 
> Isn't the timestamps inserted by syslog rather then the reporting 
> program itself?
> 
> What syslog do you use - classic (ie: sysklogd) or a modern one like 
> rsyslog?  It almost looks like the timezone got changed from local to 
> GMT or similar, then swapped back (as odd as it may sound).
> 
> Perhaps time to file a bug report with the author of the syslog daemon 
> you use?

Been a long time since I've dealt with this stuff, but it looks like the
shell for proftpd has a different TZ from the one running the other
stuff.  (syslogd runs in the shell of the caller, right?)

-- 
"Government big enough to supply everything you need is big enough to
take everything you have."

Remember:  The Ark was built by amateurs, the Titanic by professionals.

Requiescas in pace o email
Ex turpi causa non oritur actio
Eppure si rinfresca

ICBM Targeting Information:  http://tinyurl.com/4sqczs
http://tinyurl.com/7tp8ml