Bug 220246
| Summary: | syslogd does not send RFC3164-conformant messages | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | mikeg | ||||||||
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||||||
| Status: | Open --- | ||||||||||
| Severity: | Affects Many People | CC: | bdrewery, cem, ed, emaste, hrs, kevans, koobs, lwhsu, michal.os, mikeg, ngie, sobomax | ||||||||
| Priority: | --- | Keywords: | easy, needs-qa, standards | ||||||||
| Version: | 10.3-RELEASE | ||||||||||
| Hardware: | Any | ||||||||||
| OS: | Any | ||||||||||
| URL: | https://www.ietf.org/rfc/rfc3164.txt | ||||||||||
| See Also: |
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200933 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194231 |
||||||||||
| Attachments: |
|
||||||||||
|
Description
mikeg
2017-06-24 08:50:02 UTC
CC'ing ed@, who has done quite a bit with syslogd over the past year. Hi there, Thanks for the patch! The syslogd code has been refactored a lot lately to support the RFC 5424 message format. Looking at the code, the issue still applies. That said, I'm a bit hesitant to change anything for the RFC 3164 format support. People expect that it works in a certain way and changing that seems like a bad idea. Could you please give the RFC 5424 support that's present in 11-STABLE and HEAD a try? Just add "-O rfc5424" to syslogd_flags in rc.conf. Please let me know whether that addresses the issue for you sufficiently. I have not forgotten about this PR :) We're currently in a QA cycle for 11.2 (which I don't believe includes the RFC5424 support?), but once that's done I'll spin up a test machine on -STABLE and test it against logstash. Our plan is to switch to RFC 5424 style messages anyway when we move to 11.3 or 12.0 & that eliminates the need for this fix on our end & I'm fine hotfixing our local syslogd until then. I do see the logic in keeping RFC 3164 support as-is (since most folks will probably move to the new format) or making it a 12.0 item (since it introduces incompatibility with old syslogd). If it stays as-is that probably merits a note/erratum in the manpage for the next person who stumbles on this when they set up centralized logging in a heterogeneous environment. Any updates here? Created attachment 233882 [details]
Patch against 14-CURRENT
Attached is a patch for latest version of the code. I did not modify the "Forwarded from" case.
Created attachment 247881 [details]
patch with added rfc3164-strict format, against 15-CURRENT
Hi,
I had a look at RFC3164 and found a couple of interesting items:
- Section 4.2 of RFC3164 states there are no set requirements for the contents of the syslog packet. So the existing format is technically valid.
- The format described in RFC3164 (i.e. "<PRI>TIMESTAMP HOSTNAME MSG") is only RECOMMENDED to be used. It's not enforced.
- The "Forwarded from HOSTNAME:" field is not mentioned anywhere in RFC3164. I found it originally came about in FreeBSD PR 7055, back in 1998.
- Section 4.3.1 of RFC3164 states syslog relay servers that forward messages MUST do so without making any changes to the packet.
Given this, I think the existing bsd/rfc3164 format should be kept as-is for backward compatibility, but a new optional format should be added that strictly conforms to the recommended format defined in RFC3164.
I have attached a new patch based on Bryan Drewery's patch. It adds the third optional format to the -O flag, "strict" or "rfc3164-strict", which adds the hostname and excludes "Forwarded from" field in the network syslog message, and also updates the man page.
^Triage: clear unneeded flags. Nothing has yet been committed to be merged. Hi, I took my last patch, added a bunch of tests and created a pull request on github with the changes. https://github.com/freebsd/freebsd-src/pull/1536 |
