rsyslog

seasoned_geek · 02-08-2018, 03:25 PM

All,

I'm looking for what should be simple but may not exist. In the standard YABU rsyslog.conf we find the following line.

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

I'm digging through the documentation site:

http://www.rsyslog.com/doc/master/index.html

looking for something like $ActionForwardDefaultTemplate because I want to have use RSYSLOG_SyslogProtocol23Format for message forwarding. Initially I changed the value of $ActionFileDefaultTemplate and added the *.* @my.host to /etc/rsyslog.d/50-default.conf.

I restarted the service and still get the same crummy output sent to the receiving system.

<4>Feb 8 14:55:43 roland-MCP61M-M3-linux-lite kernel: [875568.243099] [UFW BLOCK] IN=enp0s7 OUT= MAC=01:00:5e:00:00:01:c0:56:2
7:cb:9c:26:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=27142 PROTO=2

What do I need to change in rsyslog.conf to change the forwarding format? I'm having a really difficult time finding that little snippet.

Not that it should matter, but the test system is a less than 6 months old 64-bit Linux-Lite (YABU) and as of one week ago all updates were applied.

Habitual · 02-10-2018, 08:59 AM

What's YABU stand for?
syslog version...?

Check out /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

You are only needing to clean up the "<4>" garbage, yes?

seasoned_geek · 02-10-2018, 09:16 AM

Quote:

Originally Posted by Habitual

What's YABU stand for?
syslog version...?

Check out /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

You are only needing to clean up the "<4>" garbage, yes?

YABU Yet Another uBUntu

I've been through all of the doc on rsyslog site. I cannot find a setting which controls the format of the forwarding message.

Goodness no. RFC5424 is a completely different layout than the older style message. Click the link and look at page 8 of the specification.

RFC3164 - supposedly a properly formatted example.
<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0

If I can find some method of telling rsyslog to use RFC5424 as its forwarding method I can save a lot of pain.

seasoned_geek · 02-10-2018, 06:23 PM

Perhaps a better question would be, does anyone have a link to the REAL and FINAL approved RFC5424 message format? So far, every search I've done, including Wikipedia points to the "Proposal" document.

https://tools.ietf.org/html/rfc5424

Doesn't matter which link you go to, it is a March 2009 "Proposal" written by the same people.

Page 8 is simply wrong. It doesn't even match the rest of the examples and, it doesn't match the current top level syslogd.c found in the FreeBSD repos. That code claims to support 5424, but, it is still using the legacy date format. According to the examples in the DOC

<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8

The date should be this expanded format, not Feb 8 14:42:49

Thanks,

Habitual · 02-12-2018, 12:10 PM

Have you read http://blog.gerhards.net/2012/03/cee...g-defined.html ??
and some others by the author of syslog

seasoned_geek · 02-12-2018, 12:17 PM

Quote:

Originally Posted by Habitual

Have you read http://blog.gerhards.net/2012/03/cee...g-defined.html ??
and some others by the author of syslog

I watched the presentation. It has nothing to do with the HEADER. It also has nothing to do with my question. that question being why, when I tell rsyslog to use 5424 format do I get non-5424 message headers when those messages are forwarded to another host?

The CEE enhancement has to do with structured data inside of the message itself. As stated in the presentation it works with all existing message types. By definition this means it does nothing to the header.