Fix #42: add option to always trust kernel timestamp

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>

man/syslogd.8

@@ -38,7 +38,7 @@
 .Nd log systems messages
 .Sh SYNOPSIS
 .Nm
-.Op Fl ?46AdFHknsTv
+.Op Fl ?46AdFHKknsTv
 .Op Fl a Ar addr[/len][:port]
 .Op Fl a Ar name[:port]
 .Op Fl b Ar addr[:port]
@@ -255,6 +255,24 @@ and wants to monitor when and how it exits.
 .It Fl H
 When logging remote messages use hostname from the message (if supplied)
 instead of using address from which the message was received.
+.It Fl K
+Keep (trust) kernel timestamp.
+.Pp
+On Linux systems the
+.Pa /dev/kmsg
+timestamp is a monotonic clock, in microseconds, relative to the boot of
+the system.  This timestamp is, among other things,
+.Sy not
+adjusted for suspend/resume cycles, meaning the kernel logs can start to
+go out of sync with the rest of the system.  This in turn can make it
+really hard to correlate events.
+.Pp
+.Nm
+by default only trusts the kernel timestamp when starting up the first
+time.  As soon as the the kernel ring buffer has been emptied,
+.Nm
+uses its own current time for each received kernel log message.  This
+option disables that behavior.
 .It Fl k
 Disable the translation of
 messages received with facility

src/syslogd.c

@@ -141,6 +141,7 @@ static int	  RemoteAddDate;	  /* Always set the date on remote messages */
 static int	  RemoteHostname;	  /* Log remote hostname from the message */
 
 static int	  KeepKernFac;		  /* Keep remotely logged kernel facility */
+static int	  KeepKernTime;		  /* Keep kernel timestamp, evern after initial read */
 
 static off_t	  RotateSz = 0;		  /* Max file size (bytes) before rotating, disabled by default */
 static int	  RotateCnt = 5;	  /* Max number (count) of log files to keep, set with -c <NUM> */
@@ -253,7 +254,7 @@ static void sys_seqno_save(void)
 int usage(int code)
 {
 	printf("Usage:\n"
-	       "  syslogd [-46AdFknsTv?] [-a PEER] [-b NAME] [-f FILE] [-m INTERVAL]\n"
+	       "  syslogd [-46AdFKknsTv?] [-a PEER] [-b NAME] [-f FILE] [-m INTERVAL]\n"
 	       "                          [-P PID_FILE] [-p SOCK_PATH] [-r SIZE[:NUM]]\n"
 	       "Options:\n"
 	       "  -4        Force IPv4 only\n"
@@ -284,6 +285,7 @@ int usage(int code)
 	       "  -F        Run in foreground, required when monitored by init(1)\n"
 	       "  -f FILE   Alternate .conf file, default: %s\n"
 	       "  -k        Allow logging with facility 'kernel', otherwise remapped to 'user'\n"
+	       "  -K        Keep kernel timestamp, even after initial ring buffer emptying\n"
 	       "  -m MINS   Interval between MARK messages, 0 to disable, default: 20 min\n"
 	       "  -n        Disable DNS query for every request\n"
 	       "  -P FILE   File to store the process ID, default: %s\n"
@@ -315,7 +317,7 @@ int main(int argc, char *argv[])
 	int pflag = 0, bflag = 0;
 	int ch;
 
-	while ((ch = getopt(argc, argv, "46Aa:b:C:dHFf:km:nP:p:r:sTv?")) != EOF) {
+	while ((ch = getopt(argc, argv, "46Aa:b:C:dHFf:Kkm:nP:p:r:sTv?")) != EOF) {
 		switch ((char)ch) {
 		case '4':
 			family = PF_INET;
@@ -370,6 +372,10 @@ int main(int argc, char *argv[])
 			KeepKernFac = 1;
 			break;
 
+		case 'K':	/* keep/trust kernel timestamp always */
+			KeepKernTime = 1;
+			break;
+
 		case 'm': /* mark interval */
 			MarkInterval = atoi(optarg) * 60;
 			break;
@@ -1238,7 +1244,7 @@ void printsys(char *msg)
 			 * current time of any new kernel messages.
 			 *     -- Joachim Wiberg Nov 23, 2021
 			 */
-			if (!sys_seqno_init) {
+			if (KeepKernTime || !sys_seqno_init) {
 				now = boot_time + ustime / 1000000;
 				buffer.timestamp.usec = ustime % 1000000;
 				localtime_r(&now, &buffer.timestamp.tm);