Esteemed busybox developers:
When using syslogd for remote logging, our syslog server administrators
complained (and I confirmed) that syslogd messages sent over the wire were not
in accordance with RFC 3164 Section 4.1.2, specifically:
The HEADER part contains a timestamp and an indication of the
hostname or IP address of the device.
[…]
The HOSTNAME field will contain only the hostname, the IPv4 address,
or the IPv6 address of the originator of the message. The preferred
value is the hostname.
The hostname is currently not included in the header. This was not the case for
local logging, which did include the hostname. When this was raised in 2008,
Denys responded with Won't Fix, saying that Ubuntu did not include the hostname
in its syslogd datagrams. I humbly ask you to reconsider whether Ubuntu bugs
and configuration errors should take precedence over the RFC 😊. Also for remote
logging, syslogd ignored /etc/syslog.conf.busybox, whereas for local logging
the config file was effective. This leaves users unable to filter or despatch
remotely-transmitted syslog messages by priority. There is nothing in the
documentation or RFC that would lead you to expect this peculiar behaviour.
Looking at the the do_syslogd function within
root<https://git.busybox.net/busybox/tree/?h=1_35_stable>/sysklogd<https://git.busybox.net/busybox/tree/sysklogd?h=1_35_stable>/syslogd.c<https://git.busybox.net/busybox/tree/sysklogd/syslogd.c?h=1_35_stable>
at the section that handles remote logging, the cause becomes clear:
/* We are not modifying log messages in any way before send */
/* Remote site cannot trust _us_ anyway and need to do validation again */
This would be completely appropriate if the device was merely relaying
correctly-formatted syslog messages that originated elsewhere, but not so
appropriate for locally-originated syslog messages that lack the required
hostname field. It is true that the remote site needs to do the validation
again, but in our case the remote site is correctly indicating that the
received packet is invalid. This section of the code also disregards
/etc/syslog.conf.busybox, which explains why the file was ineffective at
controlling remote logging.
I realise you all busy people, but can we please get this fixed at some stage
so that:
-Hostname is included in syslog messages as per RFC 3164; and
-The syslog server pays attention to /etc/syslog.conf.busybox for remotely
logged messages as well as locally-logged ones, including support for the
@remote_host action.
This should not require any drastic changes to the existing code. It would
mostly entail moving the packet transmission code from do_syslog() to
timestamp_and_log() within a conditional statement, plus a few more small
changes to leave in the pri field and (preferably) blank the res field for the
remotely-transmitted string. Plus a DNS lookup for any @remote_host actions in
the config file.
Alex Lasky
SCADA Engineer
Digital – Op Technology
Desk (02) 8849 5924
Mobile 0419 115 169
[email protected]<mailto:[email protected]>
Level 2, 1 Smith Street
Parramatta NSW 2150
________________________________
[Facebook]<http://www.facebook.com/SydneyWater> [Twitter]
<http://twitter.com/sydneywaternews> [YouTube]
<http://www.youtube.com/user/sydneywatertv> [Instagram]
<http://www.instagram.com/explore/tags/sydneywater/>
________________________________
NOTICE: This email is confidential. If you are not the nominated recipient,
please immediately delete this email, destroy all copies and inform the sender.
Sydney Water Corporation (Sydney Water) prohibits the unauthorised copying or
distribution of this email. This email does not necessarily express the views
of Sydney Water. Sydney Water does not warrant nor guarantee that this email
communication is free from errors, virus, interception or interference.
________________________________
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
