Page MenuHomeVyOS Platform

Adding remote Syslog RFC5424 compatibility
Open, Requires assessmentPublicFEATURE REQUEST

Description

Hi,

I was looking in to getting remote syslog logging working with Loki (from the guys from GrafanaLabs). However, their collector (promtail) only supports RFC5424 with octet counted messages.
After some digging, I have found that vyos defaults to RFC3164 format via rSyslog's "omfwd".

I have the correct syntax now for the config that is generated by 'syslog.py' which is working with Loki, and should be working for Telegraf (influx) too.

The following config creates:

syslog {
    host 10.10.10.10 {
        facility all {
            level all
            protocol tcp
        }
        port 1514
    }
}
vyos@vyos:/etc/rsyslog.d$ cat vyos-rsyslog.conf 
## generated by syslog.py ##

## remote logging
*.* @@10.10.10.10:1514

Howver, to get this working. The following config is required;

vyos@vyos:/etc/rsyslog.d$ cat vyos-rsyslog.conf 
## generated by syslog.py ##

## remote logging
*.* @@(o)10.10.10.10:1514;RSYSLOG_SyslogProtocol23Format

I myself am unfamiliar with the vbash, and the structure of vyos's scripts. But if i know where and how, i could even add some commands that adds this as an option.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

D0peX created this task.Wed, Sep 30, 12:26 AM
D0peX updated the task description. (Show Details)Wed, Sep 30, 9:10 AM
pasik added a subscriber: pasik.Wed, Sep 30, 6:03 PM

How to name this function?

set system syslog host 10.0.3.2 forward
set system syslog host 10.0.3.2 omfw
set system syslog host 10.0.3.2 mode-omfw
set system syslog host 10.0.3.2 mode-forward

Your suggestions?

D0peX added a comment.Mon, Oct 12, 7:35 PM

I'd suggest:
set system syslog host 10.0.3.2 format 5424 - description stating this uses RFC5424 style format
set system syslog host 10.0.3.2 format ocetet-counted - description stating messages are octet counted

But i'm unkown with Vyos's naming conventions/tree styling guideline - if there is any.

PR https://github.com/vyos/vyos-1x/pull/573

Adding new option "format" for syslog

vyos@r4-roll# set system syslog host 100.64.0.5 format 
Possible completions:
   octet-counted
                Allows for the transmission of all characters inside a syslog message
set system syslog host 100.64.0.5 facility all level 'all'
set system syslog host 100.64.0.5 facility all protocol 'tcp'
set system syslog host 100.64.0.5 format octet-counted
set system syslog host 100.64.0.5 port '1514'
commit

Check config

vyos@r4-roll# sudo cat /etc/rsyslog.d/vyos-rsyslog.conf 
## generated by syslog.py ##
## file based logging
$outchannel global,/var/log/messages,262144,/usr/sbin/logrotate /etc/logrotate.d/vyos-rsyslog
*.info;local7.debug :omfile:$global
## remote logging
*.* @@100.64.0.5:1514;RSYSLOG_SyslogProtocol23Format
[edit]
vyos@r4-roll#
D0peX added a comment.Fri, Oct 16, 2:06 PM

Thank you Viacheslav

RSYSLOG_SyslogProtocol23Format sets the format of syslog message conform RFC5424.
The (o) sets option octet counted for the syslog message.

Your commit sets octet-counted, but is actually changing syslog message type.
octet-counted should add:

## remote logging
*.* @@(o)10.10.10.10:1514

Notice the (o).

format 5424 should add:
RSYSLOG_SyslogProtocol23Format

Viacheslav added a comment.EditedFri, Oct 16, 2:28 PM

@D0peX That's correct? I updated pr

vyos@r4-roll# sudo cat /etc/rsyslog.d/vyos-rsyslog.conf 
## generated by syslog.py ##
## file based logging
$outchannel global,/var/log/messages,262144,/usr/sbin/logrotate /etc/logrotate.d/vyos-rsyslog
*.info;local7.debug :omfile:$global
## remote logging
*.* @@(o)100.64.0.5:1514;RSYSLOG_SyslogProtocol23Format
[edit]
vyos@r4-roll#

@D0peX Can you check the latest rolling?