Hi, seems like this list doesn't allow postings from people without registration so I am forwarding Sami's reply (don't forget to add Sami's address when replying!):
-------- Forwarded Message -------- Subject: Re: logger: Broken RFC5424 support Date: Tue, 3 Mar 2015 23:47:49 +0100 From: Sami Kerola To: Thomas D. CC: [email protected] On 3 March 2015 at 21:29, Thomas D. wrote: Hi Thomas and others, > you added RFC5424 support in logger in Juli 2014 [1]. Thanks for > doing that! ;) NP, I tried to make the command a little bit better but apparently good intentions does not always turn out quite exactly as one hopes. > The util-linux package in v2.26 which includes your changes hit > Gentoo Linux in February and uncovered a problem with imuxsock in > rsyslog. > > While investigating the problem it turns out that the RFC5424 header > produced by logger seems to be invalid. Let me quote David Lang who > found the problem: > >> Ok, if I'm reading the log correctly, here is the line that shows >> the message delivered to rsyslog >> >> 6630.247443933:main Q:Reg/w0 : processBATCH: next msg 0: <5>Mar 3 >> 19:17:10 vm-gentoo-x64 root: test >> >> This is showing the message being pulled from the main queue, not >> the raw log arriving via uxsock, so it's possible it's already been >> manipulated >> >> according to RFC5424, the header is PRI VERSION SP TIMESTAMP SP >> HOSTNAME >> >> so if this is the raw log, this is not quite valid RFC5424, it >> would have " 1 " between the > and Mar (I was misremembering that >> the version was before the pri) Very interesting. I am almost sure the version number is present. https://github.com/karelzak/util-linux/blob/master/misc-utils/logger.c#L398 And the string should result to similar output as examples in section 6.5 https://tools.ietf.org/html/rfc5424 The --stderr gives printout of the buffer that the logger will send, and by glance is looks OK. $ logger --server localhost --rfc5424 --stderr test <5>1 2015-03-03T22:36:22.513877+0000 kerolasa-home kerolasa - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="3704000"] test If I read the given message right it looks similar to rfc3164 format that is default when not talking to remote hosts, or specific sockets. $ logger --stderr test <5>Mar 3 22:39:20 logger: test Notice that with --socket the rfc5424 stuff appears again. $ logger --socket=/dev/log --stderr test <5>1 2015-03-03T22:41:13.842817+0000 kerolasa-home kerolasa - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="3849500"] test But that is only half of the story. Finding the logger line with all options and arguments that sends unexpected output would be brilliant. I'll be tuned, and look the thread again tomorrow evening (GMT0). -- Sami Kerola http://www.iki.fi/kerolasa/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
