I'm happy to see this, I was just reading up on SCM_CREDENTIALS and thinking that it should be fairly easy to add these sorts of things to existing software.
are these values available as named properties when crafting a format string?
Also, while it will hurt existing parsers, this data needs to be at the beginning of the line, before any user generated input, so that it can't be faked.
because of existing parsers, this probably means that we need an option to deal with this, or possibly a couple of options
1. should rsyslog add this to the %msg% property when the line is read in by imsock, leaving logs from other sources alone?
having this would probaly make things wasy for many people, but defeats the value of the trusted properties as other sources could add text to the logs that looks like it is the trusted properties.
Rsyslog already has %inputname% to say where the log came from. this is seldom used, but if it is used, it would probably make sense to use these new properties the same way.
2. add an output format (or two, one for local, one for remote) that inserts these properties at the beginning of the line for every message, even if it comes from a source that doesn't provide the data so that user provided input cannot pretend to provide these fields. Yes, I know that users can create their own output format, but if Rsyslog defines one, it is far more likely that people will use it, and if they do Rsyslog can define a parser module that populates these fileds from an incomeing message over the network (while providing the appropriate value in %inputname% that says that the message came over the network and so the message could have been faked)
David Lang On Tue, 29 Nov 2011, Rainer Gerhards wrote:
Date: Tue, 29 Nov 2011 13:05:40 +0100 From: Rainer Gerhards <[email protected]> Reply-To: rsyslog-users <[email protected]> To: [email protected] Subject: [rsyslog] trusted (fields/properties) now also in rsyslog Hi all, I thought I'd buy in on one of journald's better ideas, here are the details: http://blog.gerhards.net/2011/11/trusted-properties-in-rsyslog.html I will see that I can release today, but would like to merge into v6, if possible... Expect an announcement soon. I'd also like to know what you think about this feature. Thanks, Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
