log file names w/timestamps and timezone (was "Re: Rotating Argus Logs")
Dave Plonka
plonka at doit.wisc.edu
Wed Dec 28 11:59:14 EST 2005
On Wed, Dec 28, 2005 at 05:32:53PM +1300, Russell Fulton wrote:
>
> -- it's smart to name log files so that
> shell globbing gets the files in chronological order ;)
That would be nice, but beware that in locales that have Daylight
Savings Time (where the same hour of one day recurs in fall) it's hard
to include a local timestamp in the filename and get it to sort
correctly for all days of the year. You could use UTC, but that's
inconvenient for those of us that think in localtime.
To avoid ambiguities regarding the timezone for FlowScan (flow-tools,
etc.) we put the offset from UTC in the file names (as a +/- suffix)
like this:
ft-v05.2005-12-28.104500-0600
With argus, I do it like this via a cron job as mentioned previously:
test -f argus.out && mv argus.out argus.`date +%Y%m%d_%H:%M:%S%z`
(GNU date supports %z to yield the timezone as hours east of GMT.)
Then scripts that need to process them in order need to translate the
timestamps in the filenames and sort the names before processing them.
E.g. in perl:
sub by_timestamp {
FlowScan::file2time_t($a) <=> FlowScan::file2time_t($b)
}
my @files = sort by_timestamp <${flowfileglob}>;
An alternative would be to trust the modification time and sort by that
as it's already UTC, but I don't since sometimes I preprocess the files
before further processing.
You can find perl routines to convert the timestamps respecting the
timzeone offset in the FlowScan.pm module in the FlowScan
distribution. (Specifically, that file2time_t subroutine.)
http://net.doit.wisc.edu/~plonka/FlowScan/
Dave
--
plonka at doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
More information about the argus
mailing list