You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Running rsyslogd with input(type="imuxsock" Socket="/run/systemd/journal/syslog") parses correct "programname" and "procid" attributes from the forwarded message, for example:
Using SysSock.UsePIDFromSystem="on" with imuxsock module changes its output, but it's still broken, just in a different way ("programname": "73220]",).
More information
Afaik Arch uses upstream systemd without any significant patches, and issue appeared after recent update, bumping systemd 251.3 -> 251.4, immediately breaking output of already-installed rsyslogd (that wasn't changed/updated).
This leads me to believe that systemd changed its syslog output/forwarding format, which can be seen in strace output of rsyslogd (e.g. strace -e recvmsg -s8000 -fp $(systemctl show -P MainPID rsyslog)), for example:
"old" is the format that works, "new" is the one that does not.
Afaict difference seem to only be in that one space character.
If I understand correctly, parsing of this string is done by "special parser" routine in imuxsock.c itself (due to SysSock.UseSpecialParser=on default), and presumably one workaround would be to disable that and construct your own parser instead.
I wasn't able to find any obvious systemd commit that alters this behavior on short notice.
Wasn't able to find any obvious report/fix/PR for this issue in systemd/systemd repo either.
Is it a bug in systemd, or should rsyslogd default built-in imuxsock.c parser be able to handle this extra whitespace?
(or maybe both of these can be true, if handling of such slightly-broken output can be done anyway)
The text was updated successfully, but these errors were encountered:
Small update: I seem to have isolated this to a glibc 2.36 regression, which does sendto() with that space, which systemd seem to pass through as-is, so updating past that glibc package version or adding a patch to it might be a fix for anyone else bumping into this issue in the future.
Expected behavior
Running rsyslogd with
input(type="imuxsock" Socket="/run/systemd/journal/syslog")
parses correct "programname" and "procid" attributes from the forwarded message, for example:Actual behavior
Parsed message looks like this:
Note the missing "programname" and "procid" attributes and "rsyslogd:" prefix in "msg".
Steps to reproduce the behavior
ForwardToSyslog=yes
in /etc/systemd/journald.conf, restart systemd-journald.input(type="imuxsock" Socket="/run/systemd/journal/syslog")
Environment
rsyslog version (
rsyslogd -v
output):platform: Arch Linux (rolling release, state as of 2022-09-02), with systemd 251.4.
rsyslogd.conf for running as
rsyslogd -n | jq -C .
:Using
SysSock.UsePIDFromSystem="on"
with imuxsock module changes its output, but it's still broken, just in a different way ("programname": "73220]",
).More information
Afaik Arch uses upstream systemd without any significant patches, and issue appeared after recent update, bumping systemd 251.3 -> 251.4, immediately breaking output of already-installed rsyslogd (that wasn't changed/updated).
This leads me to believe that systemd changed its syslog output/forwarding format, which can be seen in strace output of rsyslogd (e.g.
strace -e recvmsg -s8000 -fp $(systemctl show -P MainPID rsyslog)
), for example:"old" is the format that works, "new" is the one that does not.
Afaict difference seem to only be in that one space character.
If I understand correctly, parsing of this string is done by "special parser" routine in imuxsock.c itself (due to SysSock.UseSpecialParser=on default), and presumably one workaround would be to disable that and construct your own parser instead.
I wasn't able to find any obvious systemd commit that alters this behavior on short notice.
Wasn't able to find any obvious report/fix/PR for this issue in systemd/systemd repo either.
Is it a bug in systemd, or should rsyslogd default built-in imuxsock.c parser be able to handle this extra whitespace?
(or maybe both of these can be true, if handling of such slightly-broken output can be done anyway)
The text was updated successfully, but these errors were encountered: