syslog driver parse bug?
Apologies if I missed a bugfix in my web searching and manually scanning the changelogs. I'm running syslog-ng (syslog-ng-3.2.5-3.el6.x86_64) on EL6 with the syslog driver as my network source: source s_network { syslog(ip(0.0.0.0) transport("udp") port(514)); syslog(ip(0.0.0.0) transport("tcp") port(514)); }; I have an application that does not have an internal synchronized clock source. Per RFC5424, "A syslog application MUST use the NILVALUE as TIMESTAMP if the syslog application is incapable of obtaining system time." And, the grammar shows TIMESTAMP = NILVALUE / FULL-DATE "T" FULL-TIME When I specify the "-" NILVALUE in the syslog message, the syslog driver does not seem to be able to parse the message and does not log anything. If I hardcode a time value, all message fields seem to post appropriately. Is this a new issue, or did I miss a version that addressed the handling of NILVALUE? Given RedHat lagging on versions, and Fedora's subsequent changes, I haven't yet begun the effort of retrofitting the RPM source in RAWHIDE to test, with the hope that someone might recognize the bug, or have a pointer to a EL6 SRPM so I can test against latest... Thanks for any/all pointers for a quick resolution! John
And sure enough, if you post, you can stumble across the bug and it's fix #238. Apologies. So, my outstanding question at this point - has anyone an EL6 spec/patch set handy? From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of John Cole Sent: Monday, July 21, 2014 4:20 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] syslog driver parse bug? Apologies if I missed a bugfix in my web searching and manually scanning the changelogs. I'm running syslog-ng (syslog-ng-3.2.5-3.el6.x86_64) on EL6 with the syslog driver as my network source: source s_network { syslog(ip(0.0.0.0) transport("udp") port(514)); syslog(ip(0.0.0.0) transport("tcp") port(514)); }; I have an application that does not have an internal synchronized clock source. Per RFC5424, "A syslog application MUST use the NILVALUE as TIMESTAMP if the syslog application is incapable of obtaining system time." And, the grammar shows TIMESTAMP = NILVALUE / FULL-DATE "T" FULL-TIME When I specify the "-" NILVALUE in the syslog message, the syslog driver does not seem to be able to parse the message and does not log anything. If I hardcode a time value, all message fields seem to post appropriately. Is this a new issue, or did I miss a version that addressed the handling of NILVALUE? Given RedHat lagging on versions, and Fedora's subsequent changes, I haven't yet begun the effort of retrofitting the RPM source in RAWHIDE to test, with the hope that someone might recognize the bug, or have a pointer to a EL6 SRPM so I can test against latest... Thanks for any/all pointers for a quick resolution! John
John Cole <jcole@symbotic.com> writes:
And sure enough, if you post, you can stumble across the bug and it's fix #238. Apologies.
So, my outstanding question at this point - has anyone an EL6 spec/patch set handy?
I pulled the two patches that came from #238, and applied it on top of syslog-ng 3.2.3 (the latest in the 3.2 branch I could find tagged). The resulting diff is attached, it should apply cleanly to 3.2.5 too. Hope this helps! -- |8]
Thanks Gergely -- your diff worked plenty clean here. Perhaps we can get it into the EPEL flow... I note Jose Pedro Oliveira seems to be pretty active for syslog-ng on Fedora/EPEL space. In fact, for EPEL6, he has bug 871960 listed for more recent version inclusion. Jose, if you're out there, I'm guessing you've moved as your machine/email appear invalid. If you're the official/unofficial EPEL maintainer, can you assist in getting this into a EPEL build for EL6 as it's a defect in functionality vs feature development? Thanks everyone -- all set for now! jc -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Gergely Nagy Sent: Tuesday, July 22, 2014 8:28 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] syslog driver parse bug? John Cole <jcole@symbotic.com> writes:
And sure enough, if you post, you can stumble across the bug and it's fix #238. Apologies.
So, my outstanding question at this point - has anyone an EL6 spec/patch set handy?
I pulled the two patches that came from #238, and applied it on top of syslog-ng 3.2.3 (the latest in the 3.2 branch I could find tagged). The resulting diff is attached, it should apply cleanly to 3.2.5 too. Hope this helps! -- |8]
Hi, On 07/22/2014 08:43 PM, John Cole wrote:
Thanks Gergely -- your diff worked plenty clean here.
Perhaps we can get it into the EPEL flow... I note Jose Pedro Oliveira seems to be pretty active for syslog-ng on Fedora/EPEL space. In fact, for EPEL6, he has bug 871960 listed for more recent version inclusion. Jose, if you're out there, I'm guessing you've moved as your machine/email appear invalid. If you're the official/unofficial EPEL maintainer, can you assist in getting this into a EPEL build for EL6 as it's a defect in functionality vs feature development? I'm one of the syslog-ng Fedora/EPEL maintainers, still trying to get familiar with the work-flow & and packaging guidelines. I already consulted the other syslog-ng maintainers about this patch and expecting an answer soon. If I get a go ahead, I'll try to update the package ASAP. Don't expect quick results, it takes considerable time (AFAIK 2+ weeks), before updated packages show up in EPEL.
Don't expect syslog-ng 3.5 to show up in EPEL6, it's against policy (major version update which also makes configuration file editing necessary). I could try to provide a 3.5 package for EL 6 in Copr (Fedora build service) next week, if time permits. syslog-ng 3.5.4.1 is already available in EPEL7, 3.5.5 is expected to arrive tomorrow. Bye, -- Peter Czanik (CzP) <peter.czanik@balabit.com> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/ https://twitter.com/PCzanik
On 07/22/2014 08:43 PM, John Cole wrote:
Thanks Gergely -- your diff worked plenty clean here.
Perhaps we can get it into the EPEL flow... I note Jose Pedro Oliveira seems to be pretty active for syslog-ng on Fedora/EPEL space. In fact, for EPEL6, he has bug 871960 listed for more recent version inclusion. Jose, if you're out there, I'm guessing you've moved as your machine/email appear invalid. If you're the official/unofficial EPEL maintainer, can you assist in getting this into a EPEL build for EL6 as it's a defect in functionality vs feature development?
I updated the current EPEL6 package with the patch and built it. It's available at http://koji.fedoraproject.org/koji/taskinfo?taskID=7183963 Please check it, and let me know how it works (I only have RHEL7 machines at the moment...). Once you checked it, I can send the updated package to EPEL. Bye, -- Peter Czanik (CzP) <peter.czanik@balabit.com> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/ https://twitter.com/PCzanik
Fully deployed and working on a handful of machines over the last day. Ready to push out I'd say... Thanks! jc ________________________________________ From: Peter Czanik <czanik@balabit.hu> Sent: Wednesday, July 23, 2014 4:32 AM To: John Cole Cc: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] syslog driver parse bug? On 07/22/2014 08:43 PM, John Cole wrote:
Thanks Gergely -- your diff worked plenty clean here.
Perhaps we can get it into the EPEL flow... I note Jose Pedro Oliveira seems to be pretty active for syslog-ng on Fedora/EPEL space. In fact, for EPEL6, he has bug 871960 listed for more recent version inclusion. Jose, if you're out there, I'm guessing you've moved as your machine/email appear invalid. If you're the official/unofficial EPEL maintainer, can you assist in getting this into a EPEL build for EL6 as it's a defect in functionality vs feature development?
I updated the current EPEL6 package with the patch and built it. It's available at http://koji.fedoraproject.org/koji/taskinfo?taskID=7183963 Please check it, and let me know how it works (I only have RHEL7 machines at the moment...). Once you checked it, I can send the updated package to EPEL. Bye, -- Peter Czanik (CzP) <peter.czanik@balabit.com> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/ https://twitter.com/PCzanik
Hi, On 07/25/2014 04:08 PM, John Cole wrote:
Fully deployed and working on a handful of machines over the last day. Ready to push out I'd say...
Thanks for testing! I pushed the updated package to EPEL, but it can take a while, before it really reaches the repository! Have a nice weekend! Bye, CzP
Thanks! jc
________________________________________ From: Peter Czanik <czanik@balabit.hu> Sent: Wednesday, July 23, 2014 4:32 AM To: John Cole Cc: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] syslog driver parse bug?
On 07/22/2014 08:43 PM, John Cole wrote:
Thanks Gergely -- your diff worked plenty clean here.
Perhaps we can get it into the EPEL flow... I note Jose Pedro Oliveira seems to be pretty active for syslog-ng on Fedora/EPEL space. In fact, for EPEL6, he has bug 871960 listed for more recent version inclusion. Jose, if you're out there, I'm guessing you've moved as your machine/email appear invalid. If you're the official/unofficial EPEL maintainer, can you assist in getting this into a EPEL build for EL6 as it's a defect in functionality vs feature development? I updated the current EPEL6 package with the patch and built it. It's available at http://koji.fedoraproject.org/koji/taskinfo?taskID=7183963 Please check it, and let me know how it works (I only have RHEL7 machines at the moment...). Once you checked it, I can send the updated package to EPEL.
Bye,
-- Peter Czanik (CzP) <peter.czanik@balabit.com> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/ https://twitter.com/PCzanik
-- Peter Czanik (CzP) <peter.czanik@balabit.com> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/ https://twitter.com/PCzanik
participants (3)
-
Gergely Nagy
-
John Cole
-
Peter Czanik