New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd-journald breaks forwarding to syslog format with extra space, affecting rsyslogd parser #24540
Comments
where would one find the patches arch added between 251.3-1 and 251.4-1? |
I think in Arch Linux "base" repository, where one can get everything related to current systemd build using: Looks like it's built from https://github.com/systemd/systemd-stable git tree (wonder if maybe I'm submitting an issue against wrong repo), with only relatively simple 0001-Use-Arch-Linux-device-access-groups.patch applied (should be checked out into "systemd-arch" dir with command above) that changes group names and some udev rules. |
I cannot find anything relevant between v251.3 and v251.4: $ git log --oneline v251.3..v251.4 -- src/fundamental src/basic src/libsystemd src/shared src/journal 695eb67 gcrypt: switch to system rng before gcry_check_version (#24162) |
Is this really fixed when you downgrade to v251.3, with the same kernel and other libraries? |
Yeah, currently looking at specific message in journalctl, I can see that that space is a part of SYSLOG_TIMESTAMP:
Which I think journald itself parses from how libc syslog() formats it (?). And that's how it gets sent to /dev/log (by dbus-daemon in this case):
So it does look like a problem in libc or whatever formats these timestamps for syslog calls in apps, which systemd simply passes through as-is, and issue only popping-up in rsyslogd which tries to parse them more strictly. |
Sorry for the noise. Update: Confirmed an issue to pop-up in a VM with update to glibc-2.36-3 and gone after downgrading back to glibc-2.35-6. Related Arch Linux and glibc issues: |
systemd version the issue has been seen with
251.4
Used distribution
Arch Linux
Linux kernel version used
5.15.64
CPU architectures issue was seen on
x86_64
Component
systemd-journald
Expected behaviour you didn't see
Message forwarded to syslog via
/run/systemd/journal/syslog
socket would look like this:... msg_iov=[{iov_base="<30>Sep 2 14:56:09 dbus-daemon[1766]: [system] Activating via systemd: ...
Unexpected behaviour you saw
Forwarded msg has an extra whitespace character after timestamp, breaking RFC format:
("old" is expected msg from above and systemd-251.3, "new" is one seen with systemd-251.4)
This breaks rsyslog, as reported in this issue there - rsyslog/rsyslog#4979
It was also suggested there that this is a bug in systemd, and this extra whitespace character should not be there.
Steps to reproduce the problem
Relatively easy to do with rsyslog:
ForwardToSyslog=yes
in /etc/systemd/journald.conf, restart systemd-journald.input(type="imuxsock" Socket="/run/systemd/journal/syslog")
For easier testing with rsyslogd, here is a simple configuration file for it:
Running
rsyslogd -nf rsyslog.conf | jq -C .
with that should immediately reproduce the issue, with"programname": "",
and"procid": "-",
fields notably bogus in its own startup logging.To check what gets passed over
/run/systemd/journal/syslog
, strace tool can be used as follows:strace -e recvmsg -s8000 -fp $(pgrep -x rsyslogd)
It can also be used with any other reader for that socket, as presumably it'd get same exact output, exhibiting same problem.
Additional program output to the terminal or log subsystem illustrating the issue
Two strace recvmsg() lines from systems without and with the issue (before/after updates):
Correct message from systemd before 251.4 (strace'd from a different system):
[pid 1807] recvmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="<30>Sep 2 14:56:09 dbus-daemon[1766]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' requested by ':1.3593' (uid=0 pid=2626928 comm=\"timedatectl\")", iov_len=8096}], msg_iovlen=1, msg_control=[{cmsg_len=32, cmsg_level=SOL_SOCKET, cmsg_type=SO_TIMESTAMP_OLD, cmsg_data={tv_sec=1662112569, tv_usec=796094}}, {cmsg_len=28, cmsg_level=SOL_SOCKET, cmsg_type=SCM_CREDENTIALS, cmsg_data={pid=1766, uid=81, gid=81}}], msg_controllen=64, msg_flags=0}, MSG_DONTWAIT) = 220
Incorrect msg from systemd 251.4:
[pid 71761] recvmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="<30>Sep 2 14:54:15 dbus-daemon[1661]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' requested by ':1.126' (uid=0 pid=71823 comm=\"timedatectl\")", iov_len=8096}], msg_iovlen=1, msg_control=[{cmsg_len=32, cmsg_level=SOL_SOCKET, cmsg_type=SO_TIMESTAMP_OLD, cmsg_data={tv_sec=1662112455, tv_usec=892229}}, {cmsg_len=28, cmsg_level=SOL_SOCKET, cmsg_type=SCM_CREDENTIALS, cmsg_data={pid=1661, uid=81, gid=81}}], msg_controllen=64, msg_flags=0}, MSG_DONTWAIT) = 218
As far as I can tell, issue appeared after update from systemd 251.3-1 to 251.4-1 on an Arch Linux system, where bunch of other libs/components were updated as well, but notably not rsyslogd.
It was also brought up in rsyslog/rsyslog#4979 (as also mentioned above), and it was suggested there that this seem to be a regression in systemd syslog forwarding, as its format no longer conforms to a relevant RFC standard.
I couldn't find any related commits/changes or issues/PRs about this here on a short notice.
Thanks!
The text was updated successfully, but these errors were encountered: