Page MenuHomeVyOS Platform

Adding remote Syslog RFC5424 compatibility
Closed, ResolvedPublicFEATURE REQUEST

Description

Hi,

I was looking in to getting remote syslog logging working with Loki (from the guys from GrafanaLabs). However, their collector (promtail) only supports RFC5424 with octet counted messages.
After some digging, I have found that vyos defaults to RFC3164 format via rSyslog's "omfwd".

I have the correct syntax now for the config that is generated by 'syslog.py' which is working with Loki, and should be working for Telegraf (influx) too.

The following config creates:

syslog {
    host 10.10.10.10 {
        facility all {
            level all
            protocol tcp
        }
        port 1514
    }
}
vyos@vyos:/etc/rsyslog.d$ cat vyos-rsyslog.conf 
## generated by syslog.py ##

## remote logging
*.* @@10.10.10.10:1514

Howver, to get this working. The following config is required;

vyos@vyos:/etc/rsyslog.d$ cat vyos-rsyslog.conf 
## generated by syslog.py ##

## remote logging
*.* @@(o)10.10.10.10:1514;RSYSLOG_SyslogProtocol23Format

I myself am unfamiliar with the vbash, and the structure of vyos's scripts. But if i know where and how, i could even add some commands that adds this as an option.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

How to name this function?

set system syslog host 10.0.3.2 forward
set system syslog host 10.0.3.2 omfw
set system syslog host 10.0.3.2 mode-omfw
set system syslog host 10.0.3.2 mode-forward

Your suggestions?

I'd suggest:
set system syslog host 10.0.3.2 format 5424 - description stating this uses RFC5424 style format
set system syslog host 10.0.3.2 format ocetet-counted - description stating messages are octet counted

But i'm unkown with Vyos's naming conventions/tree styling guideline - if there is any.

PR https://github.com/vyos/vyos-1x/pull/573

Adding new option "format" for syslog

vyos@r4-roll# set system syslog host 100.64.0.5 format 
Possible completions:
   octet-counted
                Allows for the transmission of all characters inside a syslog message
set system syslog host 100.64.0.5 facility all level 'all'
set system syslog host 100.64.0.5 facility all protocol 'tcp'
set system syslog host 100.64.0.5 format octet-counted
set system syslog host 100.64.0.5 port '1514'
commit

Check config

vyos@r4-roll# sudo cat /etc/rsyslog.d/vyos-rsyslog.conf 
## generated by syslog.py ##
## file based logging
$outchannel global,/var/log/messages,262144,/usr/sbin/logrotate /etc/logrotate.d/vyos-rsyslog
*.info;local7.debug :omfile:$global
## remote logging
*.* @@100.64.0.5:1514;RSYSLOG_SyslogProtocol23Format
[edit]
vyos@r4-roll#

Thank you Viacheslav

RSYSLOG_SyslogProtocol23Format sets the format of syslog message conform RFC5424.
The (o) sets option octet counted for the syslog message.

Your commit sets octet-counted, but is actually changing syslog message type.
octet-counted should add:

## remote logging
*.* @@(o)10.10.10.10:1514

Notice the (o).

format 5424 should add:
RSYSLOG_SyslogProtocol23Format

@D0peX That's correct? I updated pr

vyos@r4-roll# sudo cat /etc/rsyslog.d/vyos-rsyslog.conf 
## generated by syslog.py ##
## file based logging
$outchannel global,/var/log/messages,262144,/usr/sbin/logrotate /etc/logrotate.d/vyos-rsyslog
*.info;local7.debug :omfile:$global
## remote logging
*.* @@(o)100.64.0.5:1514;RSYSLOG_SyslogProtocol23Format
[edit]
vyos@r4-roll#
erkin set Issue type to Feature (new functionality).Aug 29 2021, 12:49 PM