Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove dash-space prefix from JSON log messages #7

Closed
ronott opened this issue Jun 14, 2023 · 4 comments
Closed

Remove dash-space prefix from JSON log messages #7

ronott opened this issue Jun 14, 2023 · 4 comments

Comments

@ronott
Copy link

ronott commented Jun 14, 2023

Hi

Is there a specific reason for the dash-space prefix in sshlog's log messages? It's an issue when JSON logs are fed into log collection/processing systems because they recognize the messages as invalid JSON because of that prefix. Could you remove it from the JSON log messages?

thx & best regards
ron
@matthill
Copy link
Contributor

Can you send me an example config and output so I'm sure I am looking at the issue?

@ronott
Copy link
Author

ronott commented Jun 15, 2023

Hi

My config is this:

/etc/sshlog/conf.d/log_events.yaml:

# Description:
# Logs all events (e.g., login, command start, file upload) to a single file

events:
  - event: log_general_activity
    triggers:
      - connection_established
      - connection_auth_failed
      - connection_close
      - command_start
      - command_finish
      - file_upload
    filters:
      ignore_existing_logins: True
    actions:
      - action: to_syslog
        plugin: syslog_action
        server_address: logs.domain.tld
        port: 11514
        udp: True
        output_json: True
        program_name: sshlog

And these are the JSON log messages I get on the syslog server:

- {"event_type": "command_finish", "ptm_pid": 357662, "filename": "ls", "start_time": 1686808906021, "end_time": 1686808906030, "exit_code": 0, </snip>
- {"event_type": "command_start", "ptm_pid": 357662, "filename": "ls", "start_time": 1686808906021, "end_time": 0, "exit_code": -1, </snip>
- {"event_type": "command_finish", "ptm_pid": 357662, "filename": "ls", "start_time": 1686808904134, "end_time": 1686808904137, "exit_code": </snip>
- {"event_type": "command_start", "ptm_pid": 357662, "filename": "ls", "start_time": 1686808904134, "end_time": 0, "exit_code": -1, </snip>

@matthill
Copy link
Contributor

I took a look at the issue. It appears that this dash is the syslog field for msg_id. That field is used for provided a particular code for a log message (e.g., ERR_42 "file not found")

It's inserted by the library when none is provided:
https://github.com/aboehm/pysyslogclient/blob/master/pysyslogclient/__init__.py#L210

I'm not exactly sure if it's appropriate to include here. Perhaps the msg_id should be the event type? If that change were made, then the dash would be replaced with "command_finish" and "command_start" in your example. In either case, you'd need to configure your syslog receiver to parse it.

@ronott
Copy link
Author

ronott commented Jul 3, 2023

Thanks for looking into this and the short write-up. I'll handle this on my log processors then.

@ronott ronott closed this as completed Jul 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matthill @ronott