Page MenuHomeVyOS Platform
Create Task
Maniphest T4039

Rsyslog to use 'protocol23format' for protocol UDP
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Our syslog server (Graylog, using the default UDP Syslog Input) requires specific timestamp format. I've needed to edit the /etc/rsyslog.d/vyos-rsyslog.conf to include this feature. I'm not sure if this manual change will persist through reboots or upgrades. I'd like this to be exposed in the CLI or config as an optional setting. I'm not sure what is the best way to implement this.

Typical syslog config:

set system syslog host x.x.x.x facility all level 'all'
set system syslog host x.x.x.x facility all protocol 'udp'
set system syslog host x.x.x.x port '514'

Manual Change:
Adding RSYSLOG_SyslogProtocol23Format to the last line. (Reference Link)

admin@vyos:~$ cat /etc/rsyslog.d/vyos-rsyslog.conf
## generated by syslog.py ##
## file based logging
$outchannel global,/var/log/messages,262144,/usr/sbin/logrotate /etc/logrotate.d/vyos-rsyslog
*.notice;local7.debug :omfile:$global
## remote logging
*.* @x.x.x.x:514;RSYSLOG_SyslogProtocol23Format

Then restarting the service:

sudo systemctl stop syslog.service

sudo systemctl restart syslog.service

Currently Running:

Version:          VyOS 1.3.0-rc6
Release Train:    equuleus

Built by:         Sentrium S.L.
Built on:         Sun 22 Aug 2021 15:37 UTC
Build UUID:       965518de-857d-4e61-ab09-381aadf24eb1
Build Commit ID:  75b37b28b2e9ab

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.0-rc6
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)

Related Objects

Mentioned In
1.3.6

Event Timeline

showipintbri created this task.Dec 2 2021, 9:32 PM
Viacheslav added a subscriber: Viacheslav.Dec 2 2021, 10:22 PM

It is working only for TCP right now

set system syslog host 192.168.122.1 facility all protocol 'tcp'
set system syslog host 192.168.122.1 format octet-counted
set system syslog host 192.168.122.1 port '1514'

Config:

vyos@r4-epa2# cat /etc/rsyslog.d/vyos-rsyslog.conf 
## generated by syslog.py ##
## file based logging
$outchannel global,/var/log/messages,262144,/usr/sbin/logrotate /etc/logrotate.d/vyos-rsyslog
*.info;local7.debug :omfile:$global
## console logging
## remote logging
*.err @@(o)192.168.122.1:1514;RSYSLOG_SyslogProtocol23Format
[edit]
vyos@r4-epa2#

It will be not hard to add and UDP option if it required
An example for TCP, https://github.com/vyos/vyos-1x/commit/fcf90cd860ba806c9a06526b5e1d88ca18d6f575

pasik added a subscriber: pasik.Dec 3 2021, 1:24 PM
showipintbri added a comment.EditedDec 6 2021, 7:59 PM

As mentioned I'm running: VyOS 1.3.0-rc6

I found the jinja template file in: /usr/share/vyos/templates/syslog/rsyslog.conf.tmpl

The original looks like this:

## generated by syslog.py ##
## file based logging
{% if files['global']['marker'] %}
$ModLoad immark
{% if files['global']['marker-interval'] %}
$MarkMessagePeriod  {{files['global']['marker-interval']}}
{% endif %}
{% endif %}
{% if files['global']['preserver_fqdn'] %}
$PreserveFQDN on
{% endif %}
{% for file in files %}
$outchannel {{file}},{{files[file]['log-file']}},{{files[file]['max-size']}},{{files[file]['action-on-max-size']}}
{{files[file]['selectors']}} :omfile:${{file}}
{% endfor %}
{% if console %}
## console logging
{% for con in console %}
{{console[con]['selectors']}} /dev/console
{% endfor %}
{% endif %}
{% if hosts %}
## remote logging
{% for host in hosts %}
{%   if hosts[host]['proto'] == 'tcp' %}
{%     if hosts[host]['port'] %}
{%       if hosts[host]['oct_count'] %}
{{hosts[host]['selectors']}} @@(o){{host}}:{{hosts[host]['port']}};RSYSLOG_SyslogProtocol23Format
{%       else %}
{{hosts[host]['selectors']}} @@{{host}}:{{hosts[host]['port']}}
{%       endif %}
{%     else %}
{{hosts[host]['selectors']}} @@{{host}}
{%     endif %}
{%   else %}
{%     if hosts[host]['port'] %}
{{hosts[host]['selectors']}} @{{host}}:{{hosts[host]['port']}}
{%     else %}
{{hosts[host]['selectors']}} @{{host}}
{%     endif %}
{%   endif %}
{% endfor %}
{% endif %}
{% if user %}
{% for u in user %}
{{user[u]['selectors']}} :omusrmsg:{{u}}
{% endfor %}
{% endif %}

I've updated my template to include a few new lines which should append ;RSYSLOG_SyslogProtocol23Format to my UDP host entry:

## generated by syslog.py ##
## file based logging
{% if files['global']['marker'] %}
$ModLoad immark
{% if files['global']['marker-interval'] %}
$MarkMessagePeriod  {{files['global']['marker-interval']}}
{% endif %}
{% endif %}
{% if files['global']['preserver_fqdn'] %}
$PreserveFQDN on
{% endif %}
{% for file in files %}
$outchannel {{file}},{{files[file]['log-file']}},{{files[file]['max-size']}},{{files[file]['action-on-max-size']}}
{{files[file]['selectors']}} :omfile:${{file}}
{% endfor %}
{% if console %}
## console logging
{% for con in console %}
{{console[con]['selectors']}} /dev/console
{% endfor %}
{% endif %}
{% if hosts %}
## remote logging
{% for host in hosts %}
{%   if hosts[host]['proto'] == 'tcp' %}
{%     if hosts[host]['port'] %}
{%       if hosts[host]['oct_count'] %}
{{hosts[host]['selectors']}} @@(o){{host}}:{{hosts[host]['port']}};RSYSLOG_SyslogProtocol23Format
{%       else %}
{{hosts[host]['selectors']}} @@{{host}}:{{hosts[host]['port']}}
{%       endif %}
{%     else %}
{{hosts[host]['selectors']}} @@{{host}}
{%     endif %}
{%   else %}
{%     if hosts[host]['port'] %}
{%       if hosts[host]['oct_count'] %}
{{hosts[host]['selectors']}} @{{host}}:{{hosts[host]['port']}};RSYSLOG_SyslogProtocol23Format
{%       else %}
{{hosts[host]['selectors']}} @{{host}}:{{hosts[host]['port']}}
{%     else %}
{{hosts[host]['selectors']}} @{{host}}
{%     endif %}
{%   endif %}
{% endfor %}
{% endif %}
{% if user %}
{% for u in user %}
{{user[u]['selectors']}} :omusrmsg:{{u}}
{% endfor %}
{% endif %}

After I make a few syslog config changes via the CLI, I expect to get: *.* @x.x.x.x:514;RSYSLOG_SyslogProtocol23Format , but sadly I don't.

Viacheslav added a project: VyOS 1.4 Sagitta.Dec 21 2021, 6:43 PM
Viacheslav changed the subtype of this task from "Bug" to "Feature Request".
Viacheslav added a comment.EditedDec 21 2021, 7:51 PM

PR https://github.com/vyos/vyos-1x/pull/1116

set system syslog host 192.168.122.11 facility all level 'all'
set system syslog host 192.168.122.11 facility all protocol 'udp'
set system syslog host 192.168.122.11 format octet-counted
set system syslog host 192.168.122.11 port '514'

Rsyslog:

*.* @192.168.122.11:514;RSYSLOG_SyslogProtocol23Format
Viacheslav renamed this task from Rsyslog to use 'protocol23format' to Rsyslog to use 'protocol23format' for protocol UDP.Dec 21 2021, 7:55 PM
c-po moved this task from Need Triage to Backlog on the VyOS 1.4 Sagitta board.Dec 25 2021, 10:29 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.2); removed VyOS 1.4 Sagitta, VyOS 1.3 Equuleus.Aug 14 2022, 1:05 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.2).Aug 29 2022, 12:14 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:39 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:36 PM
Viacheslav closed this task as Resolved.Jan 20 2024, 3:01 AM
Viacheslav claimed this task.
dmbaturin mentioned this in 1.3.6.Feb 3 2024, 1:59 AM