<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xmsochpdefault, li.xmsochpdefault, div.xmsochpdefault
{mso-style-name:x_msochpdefault;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
span.xmsohyperlink
{mso-style-name:x_msohyperlink;
color:#0563C1;
text-decoration:underline;}
span.xmsohyperlinkfollowed
{mso-style-name:x_msohyperlinkfollowed;
color:#954F72;
text-decoration:underline;}
span.xe-mailformatvorlage17
{mso-style-name:x_e-mailformatvorlage17;
font-family:"Arial",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
span.E-MailFormatvorlage24
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:black;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-US">Hi Peter,<br>
<br>
thanks a lot, this resolved the issue without having to use hacky templates.<br>
<br>
Still it bugs me out that rewriting $PROGRAM didn’t work. </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-US">Any idea why?<br>
</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-US">According to the other list posting it should‘ve.<br>
<br>
Cheers,<br>
Fabian<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Von:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> syslog-ng <syslog-ng-bounces@lists.balabit.hu>
<b>Im Auftrag von </b>Peter Czanik (pczanik)<br>
<b>Gesendet:</b> Freitag, 5. Juni 2020 08:36<br>
<b>An:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>
<b>Betreff:</b> Re: [syslog-ng] Message and Header are being split incorrectly<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Hi,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">FreeBSD 12.1 changed from the legacy syslog protocol to RFC 5424 format. When you use the system() source for local logs, this is handled automagically. But you can also fix it
by hand: <a href="https://github.com/syslog-ng/syslog-ng/issues/2428">https://github.com/syslog-ng/syslog-ng/issues/2428</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Bye,<o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div id="Signature">
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Peter Czanik (CzP) <<a href="mailto:peter.czanik@oneidentity.com">peter.czanik@oneidentity.com</a>><br>
Balabit (a OneIdentity company) / syslog-ng upstream<br>
<a href="https://syslog-ng.com/community/" target="_blank">https://syslog-ng.com/community/</a><br>
<a href="https://twitter.com/PCzanik" target="_blank">https://twitter.com/PCzanik</a><o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>>
on behalf of Sass, Fabian <<a href="mailto:Fabian.Sass@f-i-ts.de">Fabian.Sass@f-i-ts.de</a>><br>
<b>Sent:</b> Friday, June 5, 2020 08:28<br>
<b>To:</b> <a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a> <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> [syslog-ng] Message and Header are being split incorrectly</span>
<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div style="border:solid #9C6500 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FFEB9C"><b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#9C6500">CAUTION:</span></b><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black"> This email originated
from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">Hi,<br>
<br>
since updating the Base OS to FreeBSD 12.1 syslog-ng 3.27.1 fails splitting a message and its headers.<br>
<br>
<br>
Jun 5 08:12:00 myhostname 1 2020-06-05T08:12:00.042109+02:00 myhostname /usr/sbin/cron 71149 - - (root) RELOAD (tabs/root)</span><o:p></o:p></p>
<p class="xmsonormal" style="margin-bottom:12.0pt"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">Jun 5 08:12:01 myhostname 1 2020-06-05T08:12:01.546089+02:00 myhostname named 54403 - - client @0xfffffff 0.0.0.0: update 'some.domain/IN'
denied</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"><br>
Using templates for the destination reveals that the $MSGHDR Macro only holds the value “1”, which is the wrongly extracted $PROGRAM macro.
</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">$MESSAGE itself contains almost all information of the lines above, to be precise everything from (including) the $ISODATE to the end of the line.<br>
However using templates and rewrite rules is in this case sufficient to restore the logformat that was used before the update.</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"><br>
The bigger issue is that changing the value of $PROGRAM has no effect when sending it to antoher syslog-ng loghost.<br>
The behavior seems to be analog to this bug:<br>
<a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fpipermail%2Fsyslog-ng%2F2011-August%2F017132.html&data=02%7C01%7CPeter.Czanik%40oneidentity.com%7C4be342ff90b940df59d008d80919b8e7%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637269353395272488&sdata=h4MEu8GH%2BKK6tbdxi8BvV6r5eBvoZ%2BF44JfzMLj6TbU%3D&reserved=0">https://lists.balabit.hu/pipermail/syslog-ng/2011-August/017132.html</a></span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"><br>
As you can see in my syslog-ng.conf the $PROGRAM macro is overwritten to “named” if named was logging to the local syslog-ng. The successful overwriting is verified using a separate logfile (destination d_test):</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">@version: 3.5</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">#</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"># options</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">#</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">options {</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> mark_freq(3600);</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> flush_lines(0);</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> dir_perm(0640);</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> chain_hostnames(off);</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> keep_hostname(yes);</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> create_dirs(yes);</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> use_dns(yes);</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> dns_cache(yes);</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> dns_cache_expire(3600);</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">};<br>
source s_all { unix-dgram("/var/run/log");</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> unix-dgram("/var/run/logpriv" perm(0600));</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> internal();</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">};</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">#</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"># rewrite since syslog message splitting is broken since update to freebsd12...</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">#</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">rewrite r_msg {</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> set(</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> "named", value("PROGRAM") condition(message(".* named [0-9]+ - -.*"))</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> );</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> subst(".* ([a-zA-Z/\._]+) ([0-9]+) - - (.*)", "$1[$2]: $3", value("MESSAGE"));</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">};</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">#</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"># destinations</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">#</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">destination d_test { file("/var/log/fabian_messages" template("$DATE $PROGRAM $HOST $MESSAGE\n")); };</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="FR" style="font-size:10.0pt;font-family:"Arial",sans-serif">destination d_test2 { file("/var/log/fabian_messages2"); };</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="FR" style="font-size:10.0pt;font-family:"Arial",sans-serif">destination d_messages { file("/var/log/messages" template("$DATE $HOST $MESSAGE\n")); };</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="FR" style="font-size:10.0pt;font-family:"Arial",sans-serif">destination d_loghost { tcp("someiphere" port(514) template("$DATE $HOST $MESSAGE\n")); udp("anotheriphere" port(10525) template("$DATE $HOST $MESSAGE\n")); };</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">#</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">#</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"># logging</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">#</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">log { source(s_all); rewrite(r_msg); destination(d_messages); };</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">log { source(s_all); rewrite(r_msg); destination(d_loghost); };</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">log { source(s_all); rewrite(r_msg); destination(d_test); };</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">log { source(s_all); destination(d_test2); };</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">Am I missing something here, or is syslog-ng somehow behaving unintended?</span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="xmsonormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial",sans-serif">Fabian</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>