I've been noticing yum updates on several servers I manage over the last few weeks, which I know I didn't perform and could not explain until this morning. At first I suspect a break-in, but found no other evidence or reason an intruder would run the yum updates I was viewing. Yum updates are logged in /var/log/yum.log, which is what Logwatch scans. Seems that the format of the log entries is: "MMM DD", the year is missing! This morning looking at this log sequentially I noticed I did do yum updates on Apr 02 and Apr 03 as reported in last night's logwatch, but not April of 2009, but rather April of 2008! Has anyone else noticed this behavior and/or know if there is a fix in progress for it? Brett
Brett Serkez wrote:> I've been noticing yum updates on several servers I manage over the > last few weeks, which I know I didn't perform and could not explain > until this morning. At first I suspect a break-in, but found no other > evidence or reason an intruder would run the yum updates I was > viewing. > > Yum updates are logged in /var/log/yum.log, which is what Logwatch > scans. Seems that the format of the log entries is: "MMM DD", the > year is missing! This morning looking at this log sequentially I > noticed I did do yum updates on Apr 02 and Apr 03 as reported in last > night's logwatch, but not April of 2009, but rather April of 2008! > > Has anyone else noticed this behavior and/or know if there is a fix in > progress for it?I've noticed the same problem occurs at least as far back as Fedora Core 1 and it has startled me as well. I like to keep my log files around for a lot longer than the system defaults. I guess people running the stock logrotate configuration and never changing it would be much less likely to ever notice this problem.
On Fri, Apr 03, 2009, Brett Serkez wrote:>I've been noticing yum updates on several servers I manage over the >last few weeks, which I know I didn't perform and could not explain >until this morning. At first I suspect a break-in, but found no other >evidence or reason an intruder would run the yum updates I was >viewing. > >Yum updates are logged in /var/log/yum.log, which is what Logwatch >scans. Seems that the format of the log entries is: "MMM DD", the >year is missing! This morning looking at this log sequentially I >noticed I did do yum updates on Apr 02 and Apr 03 as reported in last >night's logwatch, but not April of 2009, but rather April of 2008! > >Has anyone else noticed this behavior and/or know if there is a fix in >progress for it?I would be surprised at any syslog entries that did have a year in the date. Any log processing routines that sort on date have to deal with this, particularly on year-end logs where one may have entries for December followed by those from January. This seems to be the case for syslog entries going back at least to Caldera eDesktop 2.4 (the oldest Linux system we support running today that I can check). I just checked a SCO OpenServer 5.0.6a box, and its log entries are missing the year as is a new OpenSolaris system I built within the last week. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Once at a social gathering, Gladstone said to Disraeli, I predict, Sir, that you will die either by hanging or of some vile disease. Disraeli replied, "That all depends upon whether I embrace your principles or your mistress".
Brett Serkez wrote:> I've been noticing yum updates on several servers I manage over the > last few weeks, which I know I didn't perform and could not explain > until this morning. At first I suspect a break-in, but found no other > evidence or reason an intruder would run the yum updates I was > viewing. > > Yum updates are logged in /var/log/yum.log, which is what Logwatch > scans. Seems that the format of the log entries is: "MMM DD", the > year is missing! This morning looking at this log sequentially I > noticed I did do yum updates on Apr 02 and Apr 03 as reported in last > night's logwatch, but not April of 2009, but rather April of 2008! > > Has anyone else noticed this behavior and/or know if there is a fix in > progress for it?That's why the logrotate default for yum.log was changed to "yearly" in the 5.3 updates. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.
Hi, On Fri, Apr 3, 2009 at 12:31, Brett Serkez <bserkez at gmail.com> wrote:> Yum updates are logged in /var/log/yum.log, which is what Logwatch > scans. ?Seems that the format of the log entries is: "MMM DD", the > year is missing! ? This morning looking at this log sequentially I > noticed I did do yum updates on Apr 02 and Apr 03 as reported in last > night's logwatch, but not April of 2009, but rather April of 2008!I (and many others) have seen this issue before. I opened a bug for it upstream: https://bugzilla.redhat.com/show_bug.cgi?id=447021 But it was ignored. Your feedback to upstream would probably be welcome there. Cheers, Filipe