MonitorWare Knowledge Base

The date on my system is correct, but for some reason the year displayed by phplogcon is showing "2007" instead of "2008". It is incorrect both at the main screen, and at the message detail screen. Any idea where this is being picked up? (Running v2.5.21)

[root@splunk phplog]# date
Wed Dec 3 07:46:08 EST 2008

http://10.255.231.148/phplog/index.php? ... highlight=
http://10.255.231.148/phplog/details.php?uid=137239

Date 2007-12-02 14:23:41
Host 10.22.86.1
Messagetype Syslog
Syslogtag Kiwi_Syslog_Daemon
Message Dec 2 14:23:41 10.22.86.1 MSWinEventLog#0110#011Security#01135982#011Tue Dec 02 14:23:40 2008#011567#011Security#011POS#011User#011Success Audit#011POS0208971#011Object Access#011#011Object Access Attempt: Object Server: Security Handle ID: 2244 Object Type: File Process ID: 744 Image File Name: wendposy.exe Access Mask: WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) #0117608443

• Custom phpLogCon configuration?
• Maintenance Contract?
• Installation support?

Which Version of PHP do you have installed? This is a odd problem, I see from your sample message that we have a typical RFC 3164 date header which doesn't contain a year. What phpLogCon internally does is to convert this into a full timestamp we can use internally, php should automatically assign the current year to this timestamp, what it actually does not seem to do here.

A workaround that might solve the problem already you can try, please edit the file include/functions_common.php
Search for this code:

Code: Select all

$eventtime[EVTIME_TIMESTAMP] = mktime($out[3], $out[4], $out[5], GetMonthFromString($out[1]), $out[2]);

Replace with this code:

Code: Select all

$eventtime[EVTIME_TIMESTAMP] = mktime($out[3], $out[4], $out[5], GetMonthFromString($out[1]), $out[2], date("Y") );

This should force php to use the current year on the timestamp.

--
best regards,
Andre Lorbach

alorbach wrote:Which Version of PHP do you have installed? This is a odd problem, I see from your sample message that we have a typical RFC 3164 date header which doesn't contain a year. What phpLogCon internally does is to convert this into a full timestamp we can use internally, php should automatically assign the current year to this timestamp, what it actually does not seem to do here.

[root@splunk ~]# php --version
PHP 5.2.4 (cli) (built: Oct 16 2007 09:13:35)

I will try your work around this morning and see if that fixes the problem. Thanks!

alorbach wrote:

Code: Select all

$eventtime[EVTIME_TIMESTAMP] = mktime($out[3], $out[4], $out[5], GetMonthFromString($out[1]), $out[2], date("Y") );

This should force php to use the current year on the timestamp.

Andre - Unfortunately, this code change did not fix the issue.....

Date 2007-12-08 10:08:11
Host 10.7.72.101
Messagetype Syslog
Syslogtag Kiwi_Syslog_Daemon
Message Dec 8 10:08:11 10.7.72.101 MSWinEventLog

I'm having the same problem - all dates showing 2007 instead of 2008. Changed the code as above in line 757 but that didn't solve the problem. My PHP version:

PHP 5.2.4 with Suhosin-Patch 0.9.6.2 (cli) (built: Sep 23 2007 14:12:53)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

Are you both using kiwi syslog?
What is the log source, a database or logfile? If it is a text based logfile, please post some sample messages here.

regards,
Andre

I'm using syslog-ng 1.6. The log source is a log file and I 'manage' many logfiles via PHP Logcon.

Here's a sample log file whose Year should be "2008" but it says "2007" in PHP Logcon web interface:

Dec 11 07:20:16 nurang Service Control Manager 08 [kern.info] Service Control Manager[1034] Category:(0); User:; The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.

Any update on this? Any way I can force it to read the system date? Thanks for any help.

Hi again,

that was a silly typo in functions_common.php !
Edit: include/functions_common.php

Search for

Code: Select all

case "Dez":

Replace with:

Code: Select all

case "Dec":

This will be fixed in the next release.

best regards,
Andre Lorbach

I am also seeing the incorrect year displayed across all log files. Data sources are all standard syslog-ng (text) files.

The bug/typo shown above is clearly fixed in the latest release:

Code: Select all

                case "Dec":
                        return 12;

...so that isn't the problem.

This seems suspect, but I'm not a php dev:

Code: Select all

                {
                        // rare case on new year only!
                        $eventtime[EVTIME_TIMESTAMP] = mktime($out[3], $out[4], $out[5], GetMonthFromString($out[1]), $out[2], date("Y")-1 );
                }

Local client/desktop, syslog server/phpLogCon server are all correctly synchronized via NTP.
phpLogCon Version 2.7.1
syslog-ng 2.0.9

Thanks.

Post some original syslog messages, so we can verify the input format.

best regards,
Andre Lorbach

These are the last 10 lines from the log file:

Code: Select all

Aug 13 04:48:53 10.2.3.2 lb01.atl2, L4 server 10.2.3.106 pxc07 port 8128 is up
Aug 13 04:48:55 10.2.3.3 lb02.atl2, L4 server 10.2.3.106 pxc07 port 8020 is up
Aug 13 04:48:55 10.2.3.3 lb02.atl2, L4 server 10.2.3.106 pxc07 port 8232 is up
Aug 13 04:48:55 10.2.3.3 lb02.atl2, L4 server 10.2.3.106 pxc07 port 8125 is up
Aug 13 12:21:37 10.2.3.2 lb01.atl2, L4 server 10.2.6.52 avs03 port 2120 is down due to healthcheck
Aug 13 12:21:37 10.2.3.2 lb01.atl2, L4 server 10.2.6.99 plz99 port 2120 is down. SERVICE DOWN
Aug 13 12:21:37 10.2.3.2 lb01.atl2, Sym VIP 10.2.6.99 changed state from active to standby(Keep from master)
Aug 13 12:21:38 10.2.3.3 lb02.atl2, L4 server 10.2.6.52 avs03 port 2120 is down due to healthcheck
Aug 13 12:21:38 10.2.3.3 lb02.atl2, L4 server 10.2.6.99 plz99 port 2120 is down. SERVICE DOWN
Aug 13 12:21:45 10.2.3.3 lb02.atl2, Sym VIP 10.2.6.99 changed state from standby to active(No Keep)

Onscreen, phpLogCon displays the last several (all those with times of ~12:21) like this: 2008-08-13 12:21:45

Starting with the ~04:48 lines, the date displays correctly: Today 04:54:32

Is this a time zone issue, perhaps?
Thanks much.

This is proberly a timezone issue. First of all this kind of timestamp in the syslog header doesn't have the year in it, thats why we have to assume it. If the time from the logfile is below the current time, we assume that the logfiles are from the current year. However if the time in the logfiles is ahead of the time of the webserver, then we assume they are from the last year.

This is what is happening here. Is there any chance to get this time difference fixed?
And are you using rsyslog?

best regards,
Andre Lorbach

Aha, that explains it. All of my network devices, servers, etc. use GMT. My desktop uses EST (GMT-05:00). That's not a big problem, now that I understand it.

Thanks!