Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC3164 4.3.2 -- Handling messages with pri but without timestamp or host #5098

Closed
bmagistro opened this issue Mar 8, 2023 · 6 comments
Closed

RFC3164 4.3.2 -- Handling messages with pri but without timestamp or host #5098

bmagistro opened this issue Mar 8, 2023 · 6 comments

Comments

@bmagistro
Copy link

This may be related to #1789 but don't want to mix the threads if it is not.

Personally I would consider this a partial/broken implementation however, this is generated from a commercially available device and does seem to have a path within RFC 3164 to be considered valid. I am working on making contact with the vendor to discuss this (and some other feature requests) but time to fix if at all once that contact is made is unknown. The vendor does not expose transmission port either so short of using a separate instance I am not sure how easily one could differentiate this traffic from other syslog traffic coming in (unless all other traffic had its port changed).

Based on this input data I would expect this to be handled as RFC 3164 data and then further handled according to section 4.3.2, A valid PRI but no/invalid timestamp. The behavior lines assume output in RFC 5424 format.

Input data

Sender 10.0.37.16

<38>User logged into the appliance. User: bmagistro.
<6>The appliance is rebooting. Command issued by user: bmagistro.
<30>Network link has gone down on interface 1.

Actual behavior

<38>1 2023-03-08T19:41:38.089271+00:00 User logged - - -  into the appliance. User: bmagistro.
<6>1 2023-03-08T19:41:47.262415+00:00 The appliance - - -  is rebooting. Command issued by user: bmagistro.
<30>1 2023-03-08T19:41:59.470277+00:00 Network link - - -  has gone down on interface 1.

Expected behavior

This is generated by hand and I think I counted fields correctly, at the end of the day only expecting pri, version, timestamp, hostname, and msg to be able to be populated. To achieve this I would expect the timestamp and hostname (subject to dns resolution, so IP inserted here for discussion purposes) to be added based on section 3164 4.3.2. This is probably where the gray areas start, per comments on #1789 there are implementations that may send a valid PRI but no hostname or send a message starting with a hostname so parsing/processing needs to account for these too. If trying to handle all of these, one would likely need multiple inputs to set the different parameters for parsing behavior. The below fills in the first part of the header based on the receive information from rsyslog. Following RFC 3164 for tag detection, that would be part of the message but is not present here so would not expect the remaining header fields in 5424 to be populated, same for structured data.

<38>1 2023-03-08T19:41:38.089271+00:00 10.0.37.16 - - - - User logged into the appliance. User: bmagistro.
<6>1 2023-03-08T19:41:47.262415+00:00 10.0.37.16 - - - - The appliance is rebooting. Command issued by user: bmagistro.
<30>1 2023-03-08T19:41:59.470277+00:00 10.0.37.16 - - - - Network link has gone down on interface 1.

I am open to suggestions on how best to handle this, right now the easiest answer seems to be something like allocate a second IP to the host, listen for this "broken" format there and handle with some custom parsing logic.

Environment

  • rsyslog version: 8.2212.0
  • platform: Alma 9.1

Relevant configuration snippet

# Provides UDP syslog reception
$ModLoad imudp

ruleset(name="remote") {
    action(type="omfile" file="/tmp/relay.log" template="RSYSLOG_SyslogProtocol23Format")
    action(type="omfile" file="/tmp/relaydebug.log" template="RSYSLOG_DebugFormat")
}
input( type="imudp" port="514" ruleset="remote")

pcap (zip'd for github upload)
@davidelang
Copy link
Contributor

davidelang commented Mar 8, 2023 via email

@bmagistro
Copy link
Author

The RFC also says in section 4

The payload of any IP packet that has a UDP destination port of 514 MUST be treated as a syslog message. There MAY be differences between the format of an originally transmitted syslog message and the format of a relayed message. In essence, it is RECOMMENDED to transmit a syslog message in the format specified in this document, but it is not required. If a relay is able to recognize the message as adhering to that format then it MUST retransmit the message without making any changes to it. However, if a relay receives a message but cannot discern the proper implementation of the format, it is REQUIRED to modify the message so that it conforms to that format before it retransmits it. Section 4.1 will describe the RECOMMENDED format for syslog messages. Section 4.2 will describe the requirements for originally transmitted messages and Section 4.3 will describe the requirements for relayed messages.

Continuing on, this is where I said there is some gray area and definitely open to interpretation + experience. Based on your comment, the implication is that there was a need to deviate from the RFC due to real world implementations. Ideally those needs/reasons would be captured somewhere, as a developer I know that doesn't always happen/isn't always possible/practical. As a user though, we are then left with what the maintainers/contributors chose and minimal controls to adjust this behavior today.

how can we tell the first three apart? using your examples:
and the 'correct'

The way I read RFC3164 makes some of this very straight forward. I'll start with the "correct" (full?) format, this processing path is based on the presence of a valid timestamp. If the timestamp is present, it should be assumed that the rest of the header and tag are also present. However if the timestamp is not present/invalid, we hit the three scenarios you mention. Following the RFC, this is exactly the scenario described by section 4.3.2 based on that the relay MUST insert a timestamp and SHOULD add a hostname. It also states that "the remainder of the packet MUST be treated as the content field of the msg and appended". It goes on to state "the TAG value cannot be determined and will not be included". As suggested in the referenced ticket, adding a flag to toggle this behavior allowing users to choose existing behavior or "new" (strictRfc3164s43?) seems like it could be a valid option for more than just this scenario.

Personally I think vendors should have been able to migrate to well formed 5424 for currently maintained equipment by now... (insert laugher here) But vendors have rarely taken my opinion(s) into consideration so like others, I am left trying to normalize (hammer) what they provide into a consistent format that can be consumed meaningfully. I'd like to try and do the same with this message format without adding too much overhead for anyone, this project included. I would go so far as to say we would be willing to help develop a patch if some consensus around behavior and a reasonable expectation that it would be accepted can be established.

@davidelang
Copy link
Contributor

davidelang commented Mar 9, 2023 via email

@rgerhards
Copy link
Member

rgerhards commented Mar 9, 2023 via email

@rgerhards
Copy link
Member

rgerhards commented Mar 9, 2023 via email

@bmagistro
Copy link
Author

Thanks for the discussion, while I disagree with the stance that there is no room for a user configurable flag to change this behavior I do appreciate the work that has been done to get us and this app this far.

Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rgerhards @davidelang @bmagistro