Hello,
I just wanted to report this problem with rsyslog 8.32.0-1ubuntu4 from
the Ubuntu 18.04 standard repos - possibly it has been fixed since.
I have a device (Cisco ASA) which is sending admittedly dubious format
rfc3164 messages. I have captured with tcpdump and can replicate like this:
echo -n "<164>Mar 08 2020 10:40:30 lch-asa1 : %ASA-4-711004: Task ran
for 293 msec, Process = Dispatch Unit, PC = 82a4a8c, Call stack =
0x082a4a8c 0x0806a65c" | nc -w1 -u localhost 514
(notice spaces before and after colon). I then have rsyslog forwarding
these messages (to promtail) using RFC5424:
*.* action(type="omfwd" protocol="tcp"
target="127.0.0.1" port="5140"
Template="RSYSLOG_SyslogProtocol23Format"
TCP_Framing="octet-counted")
When I look at the tcpdump of the forwarded stream, I see:
<164>1 2020-03-08T10:40:30+00:00 lch-asa1 - - - %ASA-4-711004: Task ran
for 293 msec, Process = Dispatch Unit, PC = 82a4a8c, Call stack =
0x082a4a8c 0x0806a65c
(notice double space after lch-asa1). The receiver is rejecting these
messages and dropping the connection:
caller=syslogtarget.go:174 msg="error parsing syslog stream"
err="expecting an app-name (from 1 to max 48 US-ASCII characters) or a
nil value [col 42]"
I think promtail is correct to reject them, since RFC5424 says:
HOSTNAME = NILVALUE / 1*255PRINTUSASCII
APP-NAME = NILVALUE / 1*48PRINTUSASCII
PROCID = NILVALUE / 1*128PRINTUSASCII
MSGID = NILVALUE / 1*32PRINTUSASCII
STRUCTURED-DATA = NILVALUE / 1*SD-ELEMENT
i.e. rsyslog is leaving app-name completely empty in the forwarded
message, which is not permitted.
I managed to make a workaround - I had to use a temporary variable as I
couldn't set a system property, nor see a way to conditionally insert a
dash in a template.
if ($app-name == '') then set $.app='-'; else set $.app=$app-name;
template(name="Fixed_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %.app%
%PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
*.* action(type="omfwd" protocol="tcp"
target="127.0.0.1" port="5140"
Template="Fixed_SyslogProtocol23Format"
TCP_Framing="octet-counted")
However, it seems to me that the existing RSYSLOG_SyslogProtocol23Format
template assumes that $app-name will always be set to a non-empty
string, and therefore perhaps the rfc3164 parser should always return a
dash rather than empty app name, regardless of its input?
Regards,
Brian.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
