> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of [email protected] > Sent: Thursday, December 01, 2011 4:59 AM > To: rsyslog-users > Subject: Re: [rsyslog] trusted (fields/properties) now also in rsyslog > > > I'm happy to see this, I was just reading up on SCM_CREDENTIALS and > thinking that it should be fairly easy to add these sorts of things to > existing software. > > are these values available as named properties when crafting a format > string?
Kind of... you need to pull them of via a regex :( Of course, that's not the real answer. It's important to know that this effort is experimental. I wanted to get some feedback (thanks!). A final implementation will definitely be different. But before doing that, I want to play a bit around (plus some core changes are required to make it really decent, and there performance is a big issue. This probably needs to be done ultimately in v6, as the core there already uses the (CEE) field set. > Also, while it will hurt existing parsers, this data needs to be at the > beginning of the line, before any user generated input, so that it > can't > be faked. Actually CEE & RFC5424 structured data is the correct solution. Regardig faking: what really helps is if the emitter digitally signs the message. Otherwise you can always fake. I hope to have some opportunity to look into this soon. But as you probably know there is so much going on right now... > > because of existing parsers, this probably means that we need an option > to > deal with this, or possibly a couple of options RFC5424 and CEE will take care oft hat > > 1. should rsyslog add this to the %msg% property when the line is read > in > by imsock, leaving logs from other sources alone? > > having this would probaly make things wasy for many people, but defeats > the value of the trusted properties as other sources could add text to > the > logs that looks like it is the trusted properties. If they are trusted, we must be sure that they are correct. So we can add fields, yes, but only where we can not be sure they are not faked. So for each input this needs to be checked individually. All network received logs for that reason cannot be trusted (except for e.g. RFC5425 provided remote host identity via cert). There is an awful lot to do in this regard. Journald does offer vapourware in this regard, but no cryptographically sound solution. It's more than sticking a few fields here and there (I know you know ;)). > > Rsyslog already has %inputname% to say where the log came from. this is > seldom used, but if it is used, it would probably make sense to use > these > new properties the same way. > > 2. add an output format (or two, one for local, one for remote) that > inserts these properties at the beginning of the line for every > message, > even if it comes from a source that doesn't provide the data so that > user > provided input cannot pretend to provide these fields. Yes, I know that > users can create their own output format, but if Rsyslog defines one, > it > is far more likely that people will use it, and if they do Rsyslog can > define a parser module that populates these fileds from an incomeing > message over the network (while providing the appropriate value in > %inputname% that says that the message came over the network and so the > message could have been faked) > Again CEE and RFC5424... Actually, I was tempted to add the functionality as RFC5424, but it's in it's infancy and I would immediately have gotten the feedback "sure, some obscure implementation of syslog provides this, but nobody uses that". So I stuck it right in the message... rg > David Lang > > > On Tue, 29 Nov 2011, Rainer Gerhards wrote: > > > Date: Tue, 29 Nov 2011 13:05:40 +0100 > > From: Rainer Gerhards <[email protected]> > > Reply-To: rsyslog-users <[email protected]> > > To: [email protected] > > Subject: [rsyslog] trusted (fields/properties) now also in rsyslog > > > > Hi all, > > > > I thought I'd buy in on one of journald's better ideas, here are the > details: > > > > http://blog.gerhards.net/2011/11/trusted-properties-in-rsyslog.html > > > > I will see that I can release today, but would like to merge into v6, > if > > possible... Expect an announcement soon. I'd also like to know what > you think > > about this feature. > > > > Thanks, > > Rainer > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
