diff --git a/man/syslogd.8 b/man/syslogd.8 index a83286c..78517cd 100644 --- a/man/syslogd.8 +++ b/man/syslogd.8 @@ -38,7 +38,7 @@ .Nd log systems messages .Sh SYNOPSIS .Nm -.Op Fl ?46AdFHknsTv +.Op Fl ?46AdFHKknsTv .Op Fl a Ar addr[/len][:port] .Op Fl a Ar name[:port] .Op Fl b Ar addr[:port] @@ -255,6 +255,24 @@ and wants to monitor when and how it exits. .It Fl H When logging remote messages use hostname from the message (if supplied) instead of using address from which the message was received. +.It Fl K +Keep (trust) kernel timestamp. +.Pp +On Linux systems the +.Pa /dev/kmsg +timestamp is a monotonic clock, in microseconds, relative to the boot of +the system. This timestamp is, among other things, +.Sy not +adjusted for suspend/resume cycles, meaning the kernel logs can start to +go out of sync with the rest of the system. This in turn can make it +really hard to correlate events. +.Pp +.Nm +by default only trusts the kernel timestamp when starting up the first +time. As soon as the the kernel ring buffer has been emptied, +.Nm +uses its own current time for each received kernel log message. This +option disables that behavior. .It Fl k Disable the translation of messages received with facility diff --git a/src/syslogd.c b/src/syslogd.c index 75f4182..891be7c 100644 --- a/src/syslogd.c +++ b/src/syslogd.c @@ -141,6 +141,7 @@ static int RemoteAddDate; /* Always set the date on remote messages */ static int RemoteHostname; /* Log remote hostname from the message */ static int KeepKernFac; /* Keep remotely logged kernel facility */ +static int KeepKernTime; /* Keep kernel timestamp, evern after initial read */ static off_t RotateSz = 0; /* Max file size (bytes) before rotating, disabled by default */ static int RotateCnt = 5; /* Max number (count) of log files to keep, set with -c */ @@ -253,8 +254,8 @@ static void sys_seqno_save(void) int usage(int code) { printf("Usage:\n" - " syslogd [-46AdFknsTv?] [-a PEER] [-b NAME] [-f FILE] [-m INTERVAL]\n" - " [-P PID_FILE] [-p SOCK_PATH] [-r SIZE[:NUM]]\n" + " syslogd [-46AdFKknsTv?] [-a PEER] [-b NAME] [-f FILE] [-m INTERVAL]\n" + " [-P PID_FILE] [-p SOCK_PATH] [-r SIZE[:NUM]]\n" "Options:\n" " -4 Force IPv4 only\n" " -6 Force IPv6 only\n" @@ -284,6 +285,7 @@ int usage(int code) " -F Run in foreground, required when monitored by init(1)\n" " -f FILE Alternate .conf file, default: %s\n" " -k Allow logging with facility 'kernel', otherwise remapped to 'user'\n" + " -K Keep kernel timestamp, even after initial ring buffer emptying\n" " -m MINS Interval between MARK messages, 0 to disable, default: 20 min\n" " -n Disable DNS query for every request\n" " -P FILE File to store the process ID, default: %s\n" @@ -315,7 +317,7 @@ int main(int argc, char *argv[]) int pflag = 0, bflag = 0; int ch; - while ((ch = getopt(argc, argv, "46Aa:b:C:dHFf:km:nP:p:r:sTv?")) != EOF) { + while ((ch = getopt(argc, argv, "46Aa:b:C:dHFf:Kkm:nP:p:r:sTv?")) != EOF) { switch ((char)ch) { case '4': family = PF_INET; @@ -370,6 +372,10 @@ int main(int argc, char *argv[]) KeepKernFac = 1; break; + case 'K': /* keep/trust kernel timestamp always */ + KeepKernTime = 1; + break; + case 'm': /* mark interval */ MarkInterval = atoi(optarg) * 60; break; @@ -1238,7 +1244,7 @@ void printsys(char *msg) * current time of any new kernel messages. * -- Joachim Wiberg Nov 23, 2021 */ - if (!sys_seqno_init) { + if (KeepKernTime || !sys_seqno_init) { now = boot_time + ustime / 1000000; buffer.timestamp.usec = ustime % 1000000; localtime_r(&now, &buffer.timestamp.tm);