2015-03-04 0:17 GMT+01:00 Thomas D. <[email protected]>: > Hi, > > seems like this list doesn't allow postings from people without > registration so I am forwarding Sami's reply (don't forget to add Sami's > address when replying!): >
We required this a long time ago when spam levels got unbearable. I've turned it off now, let's see what happens. If the spam comes back again, I'll switch back to members-only. > > -------- Forwarded Message -------- > Subject: Re: logger: Broken RFC5424 support > Date: Tue, 3 Mar 2015 23:47:49 +0100 > From: Sami Kerola > To: Thomas D. > CC: [email protected] > > On 3 March 2015 at 21:29, Thomas D. wrote: > > Hi Thomas and others, > > > you added RFC5424 support in logger in Juli 2014 [1]. Thanks for > > doing that! ;) > > NP, I tried to make the command a little bit better but apparently > good intentions does not always turn out quite exactly as one hopes. > > ...as usual in life. I still think this was a good move and should stay. I am not sure, though, if you really intended to modify the format on the *local* log socket. I mean if *not* sending via UDP and TCP. > > The util-linux package in v2.26 which includes your changes hit > > Gentoo Linux in February and uncovered a problem with imuxsock in > > rsyslog. > > > > While investigating the problem it turns out that the RFC5424 header > > produced by logger seems to be invalid. Let me quote David Lang who > > found the problem: > > > >> Ok, if I'm reading the log correctly, here is the line that shows > >> the message delivered to rsyslog > >> > >> 6630.247443933:main Q:Reg/w0 : processBATCH: next msg 0: <5>Mar 3 > >> 19:17:10 vm-gentoo-x64 root: test > >> > >> This is showing the message being pulled from the main queue, not > >> the raw log arriving via uxsock, so it's possible it's already been > >> manipulated > >> > >> according to RFC5424, the header is PRI VERSION SP TIMESTAMP SP > >> HOSTNAME > >> > >> so if this is the raw log, this is not quite valid RFC5424, it > >> would have " 1 " between the > and Mar (I was misremembering that > >> the version was before the pri) > > Very interesting. I am almost sure the version number is present. > that information was incorrect. That string was written in RFC3164 mode, so everything is fine here. If you'd like to dig into the root of the confusion, see here: http://lists.adiscon.net/pipermail/rsyslog/2015-March/039850.html > https://github.com/karelzak/util-linux/blob/master/misc-utils/logger.c#L398 > > And the string should result to similar output as examples in section 6.5 > > https://tools.ietf.org/html/rfc5424 > > The --stderr gives printout of the buffer that the logger will send, > and by glance is looks OK. > > $ logger --server localhost --rfc5424 --stderr test > <5>1 2015-03-03T22:36:22.513877+0000 kerolasa-home kerolasa - > [timeQuality tzKnown="1" isSynced="1" syncAccuracy="3704000"] test > > If I read the given message right it looks similar to rfc3164 format > that is default when not talking to remote hosts, or specific sockets. > >From what Thomas reported, logger test [NO OPTIONS!] will emit RFC5424 format to the log socket -- this is actually causing the problem. Thomas, can you please confirm. Maybe gentoo has an interim version with a bug that was later fixed? Rainer > > $ logger --stderr test > <5>Mar 3 22:39:20 logger: test > > Notice that with --socket the rfc5424 stuff appears again. > > $ logger --socket=/dev/log --stderr test > <5>1 2015-03-03T22:41:13.842817+0000 kerolasa-home kerolasa - > [timeQuality tzKnown="1" isSynced="1" syncAccuracy="3849500"] test > > But that is only half of the story. Finding the logger line with all > options and arguments that sends unexpected output would be brilliant. > I'll be tuned, and look the thread again tomorrow evening (GMT0). > > -- > Sami Kerola > http://www.iki.fi/kerolasa/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
