Running a syslogd as of today, it seems that the host and facility.priority fields are suddenly swapped. Now we have: Jul 1 19:35:40 gate <kern.crit> kernel: GEOM_ELI: Device ada4.eli created. For the last 25 years it was: Jun 14 17:02:54 <kern.crit> gate kernel: GEOM_ELI: Device ada4.eli created.
Ed, I think this one may be for you.
Hi Andre, Thanks for reporting. Just to confirm, this is with syslogd running with the -v flag (LogFacPri), right? It looks like this behaviour was changed unintendedly. Can you give the following patch a try and let me know whether it addresses the issue you were seeing? Thanks! Index: syslogd.c =================================================================== --- syslogd.c (revision 335760) +++ syslogd.c (working copy) @@ -1873,8 +1873,6 @@ /* Message written to files. */ iovlist_append(&il, timebuf); iovlist_append(&il, " "); - iovlist_append(&il, hostname); - iovlist_append(&il, " "); if (LogFacPri) { iovlist_append(&il, "<"); @@ -1918,6 +1916,9 @@ iovlist_append(&il, "> "); } + + iovlist_append(&il, hostname); + iovlist_append(&il, " "); break; }
-vv, to be honest ;-) > Can you give the following patch a try and let me know whether it addresses the Yes, it does, thanks! (Actually, I am running my syslogd with this patch since yesterday and just found out that it didn't make into the bug report.) BTW, maybe one should mention in the man file that -v(v) only applies to the old (compatible) mode since the priority always seems to be included in the rfc5424 mode...
A commit references this bug: Author: ed Date: Mon Jul 2 10:57:23 UTC 2018 New revision: 335861 URL: https://svnweb.freebsd.org/changeset/base/335861 Log: Restore the order in which RFC 3164 messages with fac/pri are formatted. The refactoring of the syslogd code to format messages using iovecs slightly altered the output of syslogd by placing the facility/priority after the hostname, as opposed to printing it right before. This change reverts the behaviour to be consistent with how it was before. PR: 229457 Reported by: Andre Albsmeier MFC after: 1 week Changes: head/usr.sbin/syslogd/syslogd.c
A commit references this bug: Author: ed Date: Mon Jul 2 11:02:27 UTC 2018 New revision: 335862 URL: https://svnweb.freebsd.org/changeset/base/335862 Log: Document that syslogd -v has no effect when RFC 5424 mode is enabled. The variable it sets, LogFacPri, is only used in the RFC 3164 formatting codepath. PR: 229457 Reported by: Andre Albsmeier MFC after: 1 week Changes: head/usr.sbin/syslogd/syslogd.8
Thanks. But do you think we should really wait 1 week for the MFC? This thing has some security aspects (e.g., sshguard not triggering)?
Hi Andre, As this only affects a relatively small number of setups (ones that both use sshguard and syslogd -vv), I'm inclined to say there's no need to rush. Waiting one week is all right.
A commit references this bug: Author: ed Date: Sat Jul 7 11:38:45 UTC 2018 New revision: 336058 URL: https://svnweb.freebsd.org/changeset/base/336058 Log: MFC r335861: Restore the order in which RFC 3164 messages with fac/pri are formatted. The refactoring of the syslogd code to format messages using iovecs slightly altered the output of syslogd by placing the facility/priority after the hostname, as opposed to printing it right before. This change reverts the behaviour to be consistent with how it was before. PR: 229457 Changes: _U stable/11/ stable/11/usr.sbin/syslogd/syslogd.c
A commit references this bug: Author: ed Date: Sat Jul 7 11:39:20 UTC 2018 New revision: 336059 URL: https://svnweb.freebsd.org/changeset/base/336059 Log: MFC r335862: Document that syslogd -v has no effect when RFC 5424 mode is enabled. The variable it sets, LogFacPri, is only used in the RFC 3164 formatting codepath. PR: 229457 Changes: _U stable/11/ stable/11/usr.sbin/syslogd/syslogd.8