Bug 220246 - syslogd does not send RFC3164-conformant messages [PATCH]
Summary: syslogd does not send RFC3164-conformant messages [PATCH]
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.3-RELEASE
Hardware: Any Any
: Normal Affects Many People
Assignee: freebsd-bugs (Nobody)
URL: https://www.ietf.org/rfc/rfc3164.txt
Keywords: easy, needs-qa, patch, standards
Depends on:
Reported: 2017-06-24 08:50 UTC by mikeg
Modified: 2020-06-19 16:48 UTC (History)
10 users (show)

See Also:
koobs: mfc-stable11?
koobs: mfc-stable10?

Resolving patch (733 bytes, text/plain)
2017-06-24 08:50 UTC, mikeg
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mikeg 2017-06-24 08:50:02 UTC
Created attachment 183758 [details]
Resolving patch

When sending messages to a remote host syslogd omits the hostname field required by RFC 3164. This affects anyone sending logs from a FreeBSD host to a central logging server that expects RFC 3164-conformant messages (Logstash, fluentd) - it breaks the remote server's ability to parse the FreeBSD system's log messages.

This issue is present on 10.3-RELEASE and 11.0-RELEASE.

The attached patch corrects the behavior of syslogd when sending messages. Following the logic laid out in the existing code I preserved the previous hostname for forwarded messages, but made the resulting message conform with the RFC. 

This fix has been verified against Logstash & fluentd. I have not deliberately thrown any pathological input at it so there should be some scrutiny.

NOTE: Related standards bug 200933 deals with receiving RFC 3164-conformant messages. There is a patch there which should be reviewed and either applied or adapted as appropriate.
Comment 1 Kyle Evans freebsd_committer 2018-08-09 02:38:14 UTC
CC'ing ed@, who has done quite a bit with syslogd over the past year.
Comment 2 Ed Schouten freebsd_committer 2018-08-09 12:57:16 UTC
Hi there,

Thanks for the patch! The syslogd code has been refactored a lot lately to support the RFC 5424 message format. Looking at the code, the issue still applies. That said, I'm a bit hesitant to change anything for the RFC 3164 format support. People expect that it works in a certain way and changing that seems like a bad idea.

Could you please give the RFC 5424 support that's present in 11-STABLE and HEAD a try? Just add "-O rfc5424" to syslogd_flags in rc.conf. Please let me know whether that addresses the issue for you sufficiently.
Comment 3 mikeg 2018-08-24 21:38:53 UTC
I have not forgotten about this PR :)

We're currently in a QA cycle for 11.2 (which I don't believe includes the RFC5424 support?), but once that's done I'll spin up a test machine on -STABLE and test it against logstash.

Our plan is to switch to RFC 5424 style messages anyway when we move to 11.3 or 12.0 & that eliminates the need for this fix on our end & I'm fine hotfixing our local syslogd until then.

I do see the logic in keeping RFC 3164 support as-is (since most folks will probably move to the new format) or making it a 12.0 item (since it introduces incompatibility with old syslogd).
If it stays as-is that probably merits a note/erratum in the manpage for the next person who stumbles on this when they set up centralized logging in a heterogeneous environment.
Comment 4 Li-Wen Hsu freebsd_committer 2020-06-19 16:47:15 UTC
Any updates here?