[rsyslog] RFC5424 and messages received via imuxsock

Morgan Fainberg Fri, 04 May 2012 10:56:04 -0700

Hello all!

I have run into an issue with rsyslog 5.8.11 (and previous 5.8.X-stable
releases) both from ubuntu's distribution and compiled from source that
does not appear to occur in the 4.6 (RHEL 6 package).  The behavior I am
seeing is that messages received in proper RFC5424 format are handled
properly via the imudp and imtcp input modules, however when the message is
received via imuxsock (on /dev/log) the message doesn't get parsed
properly.  I haven't been able to find any documentation on configuration
changes needed to make it work (and I've tried setting some various
directives and toggling values for escaping characters, etc) or if this is
intended.


I added a couple lines to my rsyslog.conf ("Debug_FileFormat") to allow me
to get a better idea of what was being passed to the daemon (shown below in
the "rsyslog.conf" I've been testing with).


I have been using a simple python script to generate RFC5424 syslog
messages.  This script will send messages to both the UDP socket and
imuxsock.  On RHEL 6 using the older rsyslog version (4.6) both log lines
are processed as expected:

2012-05-04T13:47:56.794098-04:00 tully ( facility:user ) ( level:debug ) (
app-name:Test.Logging.Script ) ( procid:- ) ( msgid:- ) ( s-data:- ) (
tag:Test.Logging.Script ) ( pname:Test.Logging.Script ) ( input:imuxsock )
( msg:- RFC5424 Testing Message ) ( raw:<15>1 2012-05-04T01:25:58.724841Z -
Test.Logging.Script - - - RFC5424 Testing Message )

2012-05-04T13:47:56.794855-04:00 tully ( facility:user ) ( level:debug ) (
app-name:Test.Logging.Script ) ( procid:- ) ( msgid:- ) ( s-data:- ) (
tag:Test.Logging.Script ) ( pname:Test.Logging.Script ) ( input:imudp ) (
msg:- RFC5424 Testing Message ) ( raw:<15>1 2012-05-04T01:25:58.724841Z -
Test.Logging.Script - - - RFC5424 Testing Message )


However, using the 5.8.X version (even with the same config as the RHEL
system) the log lines are not processed as expected from imuxsock

2012-05-04T03:50:14.115579+00:00 ubuntudev ( facility:user ) ( level:debug
) ( app-name:1 ) ( procid:- ) ( msgid:- ) ( s-data:- ) ( tag:1 ) ( pname:1
) ( input:imuxsock ) ( msg: 2012-05-04T01:25:58.724841Z -
Test.Logging.Script - - - RFC5424 Testing Message ) ( raw:<15>1
2012-05-04T01:25:58.724841Z - Test.Logging.Script - - - RFC5424 Testing
Message )

2012-05-04T03:50:14.115895+00:00 ubuntudev ( facility:user ) ( level:debug
) ( app-name:Test.Logging.Script ) ( procid:- ) ( msgid:- ) ( s-data:- ) (
tag:Test.Logging.Script ) ( pname:Test.Logging.Script ) ( input:imudp ) (
msg:RFC5424 Testing Message ) ( raw:<15>1 2012-05-04T01:25:58.724841Z -
Test.Logging.Script - - - RFC5424 Testing Message )



Here is the quick and dirty python script I've been using for testing (we
also tested with a simple C application, but this one is easier to "work
with" if changes are needed):

#!/usr/bin/python

import os
import logging
import logging.handlers

test_logger = logging.getLogger('TestLogger')
test_logger.setLevel(logging.DEBUG)

handler_sock = logging.handlers.SysLogHandler(address = '/dev/log')
handler_inet = logging.handlers.SysLogHandler(address = ('127.0.0.1', 514))

test_logger.addHandler(handler_sock)
test_logger.addHandler(handler_inet)

msg = '1 2012-05-04T01:25:58.724841Z - Test.Logging.Script - - - RFC5424
Testing Message'


my_logger.debug(msg)

The rsyslog.conf I've been testing with has been super simple to start with:

#rsyslog v3 config file

$ModLoad imuxsock.so    # provides support for local system logging (e.g.
via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done
by rklogd)
$ModLoad imudp.so
$UDPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template Debug_FileFormat,"%TIMEGENERATED:::date-rfc3339% %$myhostname% (
facility:%syslogfacility-text% ) ( level:%syslogpriority-text% ) (
app-name:%app-name% ) ( procid:%procid% ) ( msgid:%msgid% ) (
s-data:%structured-data% ) ( tag:%syslogtag% ) ( pname:%programname% ) (
input:%inputname% ) ( msg:%msg% ) ( raw:%rawmsg% )\n"

*.*                             /var/log/syslog-debug.log;Debug_FileFormat

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log


If anyone can provide me with some insight as to what can be done (or if
this behavior is intentional), it would be greatly appreciated.

Cheers,
Morgan Fainberg
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

[rsyslog] RFC5424 and messages received via imuxsock

Reply via email to