For When You Can't Have The Real Thing
[ start | index | login ]
start > Linux > ntp > ntp footprint

ntp footprint

Created by dave. Last edited by dave, 5 years and 42 days ago. Viewed 5,893 times. #3
[diff] [history] [edit] [rdf]

NTP Footprinting

Since there can be a lot of clock drift out there, there can be some question as to whether or not a system's time stamps on logs can be really trusted.

I use two strategies for recording sequence-of-events logs:

  1. Log everything to a central machine.
    Most syslogs won't cache things if they have a remote system to send the record off to. The central syslog won't cache either if it is receiving datastreams from multiple machines, and it applies its own timestamp to the records. If you trust the clock on the central machine, you usually end up with a reasonably trustable time-stamped sequence of events which is accurate to within a couple of seconds.
  2. Run ntp and periodically log the time source.
    In cron:
    0 6,18 * * * /usr/sbin/ntpq -p | grep '*'  | logger -t ntp
    Or, if you have a newer distro with systemd:
    0 6,18 * * * /usr/bin/chronyc tracking | egrep 'time|off' | logger -t ntp
    This logs the system that the clock is currently locked to twice a day, proving that the clock on the relevant machine is reasonably trustworthy for time-stamping purposes.
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt