NetBSD Problem Report #58558

From www@netbsd.org  Wed Aug  7 05:31:04 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 553901A923A
	for <gnats-bugs@gnats.NetBSD.org>; Wed,  7 Aug 2024 05:31:04 +0000 (UTC)
Message-Id: <20240807053102.F3ECF1A923C@mollari.NetBSD.org>
Date: Wed,  7 Aug 2024 05:31:02 +0000 (UTC)
From: xover2391@hush.com
Reply-To: xover2391@hush.com
To: gnats-bugs@NetBSD.org
Subject: syslog.conf(5) man page example does not work.
X-Send-Pr-Version: www-1.0

>Number:         58558
>Category:       bin
>Synopsis:       syslog.conf(5) man page example does not work.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Aug 07 05:35:00 +0000 2024
>Last-Modified:  Mon Sep 09 09:53:54 +0000 2024
>Originator:     Archie
>Release:        10.0
>Organization:
>Environment:
NetBSD  10.0 NetBSD 10.0 (GENERIC) #0: Thu Mar 28 08:33:33 UTC 2024  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
I have been trying to get syslogd to save messages sent to it from a
remote device, to a separate file. I created the following thread in
the netbsd-sers mailing list to ask for assistance:

https://mail-index.netbsd.org/netbsd-users/2024/07/24/msg031511.html

Some suggestions were provided, but did not resolve the issue. I then
tried to use an example from the EXAMPLES section of the
syslog.conf(5) man page, which did not work as expected. I documented
what I did in the following post of the same thread:

https://mail-index.netbsd.org/netbsd-users/2024/07/31/msg031578.html

Here is a copy of the text in that post:

**********************************************************************
I decided to try one of the examples given near the end of the
syslog.conf(5) man page. I removed the alterations I had made to the
/etc/syslog.conf file, and appended the following example instead:

# Save non-local log messages from all programs to a separate file.
!*
-@
*.*                                     /var/log/foreign

I then created the /var/log/foreign file with:

touch /var/log/foreign

Lastly, I rebooted the NetBSD server and logged in.

The /var/log/messages file contained the usual stuff, but also the
messages from the remote device (192.168.1.200) which I was not
expecting.

The /var/log/foreign file contained everything logged in
/var/log/messages, /var/log/maillog, /var/log/authlog, and the
messages from the remote device (192.168.1.200).  Definitely wasn't
expecting that.

So, unless I'm doing something very wrong, something with the syslog
system doesn't seem to be working as it should.
**********************************************************************

The problem I was originally trying to solve (having the syslog
messages from a remote device written to a separate file) and the
problem with the example from the EXAMPLES section of the
syslog.conf(5) man page might be interconnected.  Solving one might
solve the other.
>How-To-Repeat:
- Configure a device to send syslog messages to the IP address of the
  NetBSD server (192.168.1.100). In my case it was a HP
  network/ethernet switch with the latest available firmware.

- Perform a fresh install of NetBSD 10/amd64.

- Append the following line to rc.conf:

syslogd_flags="-n -S -T -v -v"

- Create a suitable /etc/ifconfig.<if> file on the NetBSD server. In
  my case it was ifconfig.re0 and its contents were:

inet 192.168.1.100 netmask 0xffffff00 tso4 ip4csum udp4csum tcp4csum

- Append the following (taken from the EXAMPLES section of the
  syslog.conf(5) man page) to the /etc/syslog.conf file:

# Save non-local log messages from all programs to a separate file.
!*
-@
*.*                                     /var/log/foreign

- Create the required file manually (in case syslogd wouldn't)

# touch /var/log/foreign

- Reboot the NetBSD server.

- Login and inspect the recently written /var/log files.
- /var/log/messages contains syslog messages from the remote device,
  which it shouldn't have.
- /var/log/foreign contains syslog messages from the remote device,
  but it also contains everything logged in /var/log/messages,
  /var/log/maillog, /var/log/authlog, and /var/log/cron, which it
  shouldn't have.

>Fix:

>Release-Note:

>Audit-Trail:
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 7 Aug 2024 06:21:52 -0000 (UTC)

 xover2391@hush.com writes:

 ># Save non-local log messages from all programs to a separate file.
 >!*
 >-@
 >*.*                                     /var/log/foreign


 Are you aware that the selector (left side) and action (right side)
 need to be separated by TAB characters, not spaces ?

From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 7 Aug 2024 07:08:09 +0000 (UTC)

 On Wed, 7 Aug 2024, xover2391@hush.com wrote:

 > # Save non-local log messages from all programs to a separate file.
 > !*
 > -@
 > *.*                                     /var/log/foreign
 >

 There is PR #47529 which _looks_ almost like this PR, except, close reading
 of syslog.conf(5) suggests that the duplicate copies should be expected with
 the config. file you've shown. Ie. by default, messages will "cascade" to
 multiple files unless stopped by other rules or using the `-U' flag to syslogd.

 Here's a syslog.conf which does work for separating outputs from other hosts
 to a different file (works around PR #47529 too):

 ```
 #	$NetBSD: syslog.conf,v 1.9 2004/07/23 03:45:42 mycroft Exp $

 +@
 *.err;kern.*;auth.notice;authpriv.none;mail.crit	/dev/console
 *.info;auth,authpriv,cron,ftp,kern,lpr,mail.none	/var/log/messages
 kern.debug						/var/log/messages

 # The authpriv log file should be restricted access; these
 # messages shouldn't go to terminals or publically-readable
 # files.
 auth,authpriv.info					/var/log/authlog

 cron.info						/var/log/cron
 ftp.info						/var/log/xferlog
 lpr.info						/var/log/lpd-errs
 mail.info						/var/log/maillog
 #uucp.info						/var/spool/uucp/ERRORS

 *.emerg							*
 #*.notice						root

 !*
 +192.168.68.171,qemu
 *.*							/var/log/host1.log
 ```

 The only additions from the default syslog.conf file are the:

 +@

 and:

 !*
 +192.168.68.171,qemu
 *.*							/var/log/host1.log

 The `+@' hostname-spec causes the rules following it to be applied _only_ to
 the local host. This duplicates the functionality of the default config. file.

 The other block then sends all output from the named host(s) to a separate
 file.

 But, for this to work (I've just tested this), the remote host has to send
 well formed syslog data to the syslogd program on NetBSD. In my test the remote
 host ("qemu") was also NetBSD and the messages in `/var/log/host1.log' look
 like this:

 ```
 <auth.info>Aug  7 06:29:02 qemu sshd[327]: Server listening on :: port 22.
 <auth.info>Aug  7 06:29:02 qemu sshd[327]: Server listening on 0.0.0.0 port 22.
 <user.debug>Aug  7 06:29:02 qemu sshd: bl_init: connect failed for `/var/run/blacklistd.sock' (No such file or directory)
 <mail.info>Aug  7 06:29:02 qemu postfix/postfix-script[466]: starting the Postfix mail system
 <mail.info>Aug  7 06:29:02 qemu postfix/master[479]: daemon started -- version 3.8.4, configuration /etc/postfix
 <auth.notice>Aug  7 06:29:36 qemu login: ROOT LOGIN (root) on tty constty
 <cron.info>Aug  7 06:30:43 qemu cron[549]: (root) CMD START (/usr/libexec/atrun)
 <cron.info>Aug  7 06:30:43 qemu cron[537]: (root) CMD FINISH (/usr/libexec/atrun)
 ```

 The message you posted on netbsd-users@ looks malformed:

 ```
 <user.info>Aug  7 10:40:08 Aug -:  7 10:40:08 192.168.1.200-1 USER_MGR[44365908]: user_mgr_util.c(1588) 5098 %% HTTP Session 30 started for user admin connected from 192.168.1.210
 ```

 Don't know if it's a bug in syslogd which's responsible or it's the sender who's
 responsible.

 Can you do a tcpdump like this and show the output?

 ```
 root# tcpdump -Alnt -i <IF> host 192.168.1.200 and udp dst port syslog
 ```

 -RVP

From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 07 Aug 2024 13:23:53 +0000

 On 8/7/2024 at 6:25 AM, "Michael van Elst" <mlelstv@serpens.de> wrote:
 >
 >The following reply was made to PR bin/58558; it has been noted by 
 >GNATS.
 >
 >From: mlelstv@serpens.de (Michael van Elst)
 >To: gnats-bugs@netbsd.org
 >Cc: 
 >Subject: Re: bin/58558: syslog.conf(5) man page example does not 
 >work.
 >Date: Wed, 7 Aug 2024 06:21:52 -0000 (UTC)
 >
 > xover2391@hush.com writes:
 > 
 > ># Save non-local log messages from all programs to a separate 
 >file.
 > >!*
 > >-@
 > >*.*                                     /var/log/foreign
 > 
 > 
 > Are you aware that the selector (left side) and action (right 
 >side)
 > need to be separated by TAB characters, not spaces ?

 Yes, I am aware of this. Of the four lines I added to
 /etc/syslog.conf, I am assuming that it only matters to the last one,
 and the space between the *.* and /var/log/foreign is tabs not
 spaces.

From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: [Suspected Junk Mail] Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 07 Aug 2024 13:42:13 +0000

 On 8/7/2024 at 7:10 AM, "RVP" <rvp@SDF.ORG> wrote:
 >
 >The following reply was made to PR bin/58558; it has been noted by 
 >GNATS.
 >
 >From: RVP <rvp@SDF.ORG>
 >To: gnats-bugs@netbsd.org
 >Cc: 
 >Subject: Re: bin/58558: syslog.conf(5) man page example does not 
 >work.
 >Date: Wed, 7 Aug 2024 07:08:09 +0000 (UTC)
 >
 > On Wed, 7 Aug 2024, xover2391@hush.com wrote:
 > 
 > > # Save non-local log messages from all programs to a separate 
 >file.
 > > !*
 > > -@
 > > *.*                                     /var/log/foreign
 > >
 > 
 > There is PR #47529 which _looks_ almost like this PR, except, close
 > reading of syslog.conf(5) suggests that the duplicate copies should
 > be expected with the config. file you've shown. Ie. by default,
 > messages will "cascade" to multiple files unless stopped by other
 > rules or using the `-U' flag to syslogd.
 >
 > Here's a syslog.conf which does work for separating outputs from
 > other hosts to a different file (works around PR #47529 too):
 > 
 > ```
 > #	$NetBSD: syslog.conf,v 1.9 2004/07/23 03:45:42 mycroft Exp $
 > 
 > +@
 > *.err;kern.*;auth.notice;authpriv.none;mail.crit	/dev/console
 > *.info;auth,authpriv,cron,ftp,kern,lpr,mail.none	/var/log/messages
 > kern.debug						/var/log/messages
 > 
 > # The authpriv log file should be restricted access; these
 > # messages shouldn't go to terminals or publically-readable
 > # files.
 > auth,authpriv.info					/var/log/authlog
 > 
 > cron.info						/var/log/cron
 > ftp.info						/var/log/xferlog
 > lpr.info						/var/log/lpd-errs
 > mail.info						/var/log/maillog
 > #uucp.info						/var/spool/uucp/ERRORS
 > 
 > *.emerg							*
 > #*.notice						root
 > 
 > !*
 > +192.168.68.171,qemu
 > *.*							/var/log/host1.log
 > ```
 > 
 > The only additions from the default syslog.conf file are the:
 > 
 > +@
 > 
 > and:
 > 
 > !*
 > +192.168.68.171,qemu
 > *.*							/var/log/host1.log
 > 
 > The `+@' hostname-spec causes the rules following it to be applied
 > _only_ to the local host. This duplicates the functionality of the
 > default config. file.
 >
 > The other block then sends all output from the named host(s) to a
 > separate file.
 > 
 > But, for this to work (I've just tested this), the remote host has
 > to send well formed syslog data to the syslogd program on
 > NetBSD. In my test the remote host ("qemu") was also NetBSD and the
 > messages in `/var/log/host1.log' look like this:
 > 
 > ```
 > <auth.info>Aug  7 06:29:02 qemu sshd[327]: Server listening on :: 
 >port 22.
 > <auth.info>Aug  7 06:29:02 qemu sshd[327]: Server listening on 
 >0.0.0.0 port 22.
 > <user.debug>Aug  7 06:29:02 qemu sshd: bl_init: connect failed 
 >for `/var/run/blacklistd.sock' (No such file or directory)
 > <mail.info>Aug  7 06:29:02 qemu postfix/postfix-script[466]: 
 >starting the Postfix mail system
 > <mail.info>Aug  7 06:29:02 qemu postfix/master[479]: daemon 
 >started -- version 3.8.4, configuration /etc/postfix
 > <auth.notice>Aug  7 06:29:36 qemu login: ROOT LOGIN (root) on tty 
 >constty
 > <cron.info>Aug  7 06:30:43 qemu cron[549]: (root) CMD START 
 >(/usr/libexec/atrun)
 > <cron.info>Aug  7 06:30:43 qemu cron[537]: (root) CMD FINISH 
 >(/usr/libexec/atrun)
 > ```
 > 
 > The message you posted on netbsd-users@ looks malformed:
 > 
 > ```
 > <user.info>Aug  7 10:40:08 Aug -:  7 10:40:08 192.168.1.200-1 
 >USER_MGR[44365908]: user_mgr_util.c(1588) 5098 %% HTTP Session 30 
 >started for user admin connected from 192.168.1.210
 > ```
 > 
 > Don't know if it's a bug in syslogd which's responsible or it's the
 > sender who's responsible.
 > 
 > Can you do a tcpdump like this and show the output?
 > 
 > ```
 > root# tcpdump -Alnt -i <IF> host 192.168.1.200 and udp dst port 
 >syslog
 > ```
 > 
 > -RVP

 I appreciate the pointer to PR# 47529. I did perform a Query PR prior
 to doing a Send PR, but not knowing what to search for, all I did was
 to put a single keyword "syslogd" in the relevant search field.  Very
 few of the results returned were directly related to syslogd, and I
 didn't inspect each and every one of them.  I mainly looked for the
 dates to have been within the last two years or so.

 I'm happy to defer to your knowledge on whether a syslog message is
 malformed, and I'd put money on it being the remote device (the HP
 switch, which is running some kind of embedded Linux from HP, of
 course) that's responsible. Yes, I can do a tcpdump like what you've
 shown, when I'm on-site next week. Thanks for the suggestion.

From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 7 Aug 2024 14:31:03 -0000 (UTC)

 xover2391@hush.com writes:

 >Yes, I am aware of this. Of the four lines I added to /etc/syslog.conf, I am assuming that it only matters to the last one, and the space between the *.* and /var/log/foreign is tabs not spaces.

 I have configured something similar (netbsd-10/i386) and it just works.
 One difference is that I don't use the !* program specification. It's

 +@
 ... local rules here ...
 -@
 ... remote rules here ...

 And I tested that adding !* like in the example doesn't change the behaviour.

From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Fri, 09 Aug 2024 06:03:40 +0000

 On 8/7/2024 at 2:35 PM, "Michael van Elst" <mlelstv@serpens.de> wrote:
 >
 >The following reply was made to PR bin/58558; it has been noted by 
 >GNATS.
 >
 >From: mlelstv@serpens.de (Michael van Elst)
 >To: gnats-bugs@netbsd.org
 >Cc: 
 >Subject: Re: bin/58558: syslog.conf(5) man page example does not 
 >work.
 >Date: Wed, 7 Aug 2024 14:31:03 -0000 (UTC)
 >
 > xover2391@hush.com writes:
 > 
 > >Yes, I am aware of this. Of the four lines I added to 
 >/etc/syslog.conf, I am assuming that it only matters to the last 
 >one, and the space between the *.* and /var/log/foreign is tabs 
 >not spaces.
 > 
 > I have configured something similar (netbsd-10/i386) and it just 
 >works.
 > One difference is that I don't use the !* program specification. 
 >It's
 > 
 > +@
 > ... local rules here ...
 > -@
 > ... remote rules here ...
 > 
 > And I tested that adding !* like in the example doesn't change 
 >the behaviour.

 Although I'm trying to get the syslog messages from a HP network
 switch written to a separate file in /var/log on a NetBSD-10/amd64
 server, I'm happy to try different things to try and figure out
 what's going wrong with that. I can do what you've suggested, and
 also try doing it from a computer running NetBSD, and to a server
 running NetBSD/i386, to see if I can get the same results. If I can
 get success with that, I can then try and sort out the problem with
 the HP switch.

 I can try this out next week when I am back on-site.

 Thanks.

From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 04 Sep 2024 07:04:35 +0000

 On 8/7/2024 at 7:10 AM, "RVP" <rvp@SDF.ORG> wrote:
 >
 >The following reply was made to PR bin/58558; it has been noted by 
 >GNATS.
 >
 >From: RVP <rvp@SDF.ORG>
 >To: gnats-bugs@netbsd.org
 >Cc: 
 >Subject: Re: bin/58558: syslog.conf(5) man page example does not 
 >work.
 >Date: Wed, 7 Aug 2024 07:08:09 +0000 (UTC)
 >
 > On Wed, 7 Aug 2024, xover2391@hush.com wrote:
 > 
 > > # Save non-local log messages from all programs to a separate 
 >file.
 > > !*
 > > -@
 > > *.*                                     /var/log/foreign
 > >
 > 
 > There is PR #47529 which _looks_ almost like this PR, except, 
 >close reading
 > of syslog.conf(5) suggests that the duplicate copies should be 
 >expected with
 > the config. file you've shown. Ie. by default, messages will 
 >"cascade" to
 > multiple files unless stopped by other rules or using the `-U' 
 >flag to syslogd.
 > 
 > Here's a syslog.conf which does work for separating outputs from 
 >other hosts
 > to a different file (works around PR #47529 too):
 > 
 > ```
 > #	$NetBSD: syslog.conf,v 1.9 2004/07/23 03:45:42 mycroft Exp $
 > 
 > +@
 > *.err;kern.*;auth.notice;authpriv.none;mail.crit	/dev/console
 > *.info;auth,authpriv,cron,ftp,kern,lpr,mail.none	/var/log/messages
 > kern.debug						/var/log/messages
 > 
 > # The authpriv log file should be restricted access; these
 > # messages shouldn't go to terminals or publically-readable
 > # files.
 > auth,authpriv.info					/var/log/authlog
 > 
 > cron.info						/var/log/cron
 > ftp.info						/var/log/xferlog
 > lpr.info						/var/log/lpd-errs
 > mail.info						/var/log/maillog
 > #uucp.info						/var/spool/uucp/ERRORS
 > 
 > *.emerg							*
 > #*.notice						root
 > 
 > !*
 > +192.168.68.171,qemu
 > *.*							/var/log/host1.log
 > ```
 > 
 > The only additions from the default syslog.conf file are the:
 > 
 > +@
 > 
 > and:
 > 
 > !*
 > +192.168.68.171,qemu
 > *.*							/var/log/host1.log
 > 
 > The `+@' hostname-spec causes the rules following it to be 
 >applied _only_ to
 > the local host. This duplicates the functionality of the default 
 >config. file.
 > 
 > The other block then sends all output from the named host(s) to a 
 >separate
 > file.
 > 
 > But, for this to work (I've just tested this), the remote host 
 >has to send
 > well formed syslog data to the syslogd program on NetBSD. In my 
 >test the remote
 > host ("qemu") was also NetBSD and the messages in 
 >`/var/log/host1.log' look
 > like this:
 > 
 > ```
 > <auth.info>Aug  7 06:29:02 qemu sshd[327]: Server listening on :: 
 >port 22.
 > <auth.info>Aug  7 06:29:02 qemu sshd[327]: Server listening on 
 >0.0.0.0 port 22.
 > <user.debug>Aug  7 06:29:02 qemu sshd: bl_init: connect failed 
 >for `/var/run/blacklistd.sock' (No such file or directory)
 > <mail.info>Aug  7 06:29:02 qemu postfix/postfix-script[466]: 
 >starting the Postfix mail system
 > <mail.info>Aug  7 06:29:02 qemu postfix/master[479]: daemon 
 >started -- version 3.8.4, configuration /etc/postfix
 > <auth.notice>Aug  7 06:29:36 qemu login: ROOT LOGIN (root) on tty 
 >constty
 > <cron.info>Aug  7 06:30:43 qemu cron[549]: (root) CMD START 
 >(/usr/libexec/atrun)
 > <cron.info>Aug  7 06:30:43 qemu cron[537]: (root) CMD FINISH 
 >(/usr/libexec/atrun)
 > ```
 > 
 > The message you posted on netbsd-users@ looks malformed:
 > 
 > ```
 > <user.info>Aug  7 10:40:08 Aug -:  7 10:40:08 192.168.1.200-1 
 >USER_MGR[44365908]: user_mgr_util.c(1588) 5098 %% HTTP Session 30 
 >started for user admin connected from 192.168.1.210
 > ```
 > 
 > Don't know if it's a bug in syslogd which's responsible or it's 
 >the sender who's
 > responsible.
 > 
 > Can you do a tcpdump like this and show the output?
 > 
 > ```
 > root# tcpdump -Alnt -i <IF> host 192.168.1.200 and udp dst port 
 >syslog
 > ```
 > 
 > -RVP

 Apologies that it has taken me so long to be able to get you the info
 you requested. There has been some progress on this issue which I
 detailed in a separate message in this thread, relating to the
 setting of a hostname for the NetBSD server. After setting the NetBSD
 server hostname, and altering /etc/syslog.conf to include a "+@" line
 near the top and a "-@" line near the bottom, syslogd now puts the
 non-local/remote syslog messages into a separate file, which is a
 good start.

 I still want to extend things so that each remote host/device has its
 syslog messages put into a separate file, so I tried replacing the
 "-@" line with "+192.168.1.200". After doing that (and rebooting the
 NetBSD server) the syslog messages from 192.168.1.200 are not saved
 anywhere. Clearly, those messages are not local, but they are also
 not identified as "being from" 192.168.1.200. So I changed the line
 back to "-@" and ran the tcpdump command you mentioned above.

 netbsd1# tcpdump -Alnt -i re0 host 192.168.1.200 and udp dst port syslog
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes
 IP 192.168.1.200.514 > 192.168.1.100.514: SYSLOG user.info, length: 154
 E.....@.@.................k.<14> Sep  4 14:57:10 192.168.1.200-1 USER_MGR[44365908]: user_mgr_util.c(1638) 9758 %% HTTP Session 46 ended for user admin connected from 192.168.1.210
 .
 ^C
 1 packet captured
 23 packets received by filter
 0 packets dropped by kernel
 netbsd1# 


 I also configured a total of nine other devices (seven routers, one
 different network switch, and a Synology NAS unit) to send their
 syslog messages to the NetBSD server. The /etc/syslog.conf file now
 looks like this (The only differences are line 3 which has "+@" and
 everything from the line that has "-@" until End Of File):


 #	$NetBSD: syslog.conf,v 1.9 2004/07/23 03:45:42 mycroft Exp $

 +@
 *.err;kern.*;auth.notice;authpriv.none;mail.crit	/dev/console
 *.info;auth,authpriv,cron,ftp,kern,lpr,mail.none	/var/log/messages
 kern.debug						/var/log/messages

 # The authpriv log file should be restricted access; these
 # messages shouldn't go to terminals or publically-readable
 # files.
 auth,authpriv.info					/var/log/authlog

 cron.info						/var/log/cron
 ftp.info						/var/log/xferlog
 lpr.info						/var/log/lpd-errs
 mail.info						/var/log/maillog
 #uucp.info						/var/spool/uucp/ERRORS

 *.emerg							*
 #*.notice						root

 -@
 *.*						/var/log/foreign

 # HP network switch
 +192.168.1.200
 *.*						/var/log/host-192.168.1.200

 # Other network switch
 +192.168.1.201
 *.*						/var/log/host-192.168.1.201

 # DrayTek router
 +192.168.1.202
 *.*						/var/log/host-192.168.1.202

 # NetComm router 1
 +192.168.1.203
 *.*						/var/log/host-192.168.1.203

 # NetComm router 2
 +192.168.1.204
 *.*						/var/log/host-192.168.1.204

 # Sonicwall router
 +192.168.1.205
 *.*						/var/log/host-192.168.1.205

 # TP-Link router
 +192.168.1.206
 *.*						/var/log/host-192.168.1.206

 # Netgear router
 +192.168.1.207
 *.*						/var/log/host-192.168.1.207

 # Sagemcom router
 +192.168.1.208
 *.*						/var/log/host-192.168.1.208

 # Synology NAS
 +192.168.1.209
 *.*						/var/log/host-192.168.1.209


 The NetBSD server is saving the syslog messages from each of the
 seven routers to their respective /var/log/host-192.168.1.20x files
 as well as to the /var/log/foreign file. It is not saving the syslog
 messages from the two network switches or the Synology NAS unit to
 their respective files, even though it is saving them to the
 /var/log/foreign file (at least it recognises that they're "not
 local"). I'm not sure if a tcpdump of a syslog message from the
 Synology NAS or the other network switch would be useful, but I can
 provide that if requested.

 The Synology NAS unit has the option to send its syslog messages in
 either "BSD (RFC 3164)" or "IETF (RFC 5424)" format. I can see the
 difference in the syslog message structure of either format from that
 unit as they are saved in the /var/log/foreign file, but neither
 format results in the saving of the messages in the
 /var/log/host-192.168.1.209 file.

 Hints, tips, or suggestions are welcome. Thanks.

From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc: xover2391@hush.com
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 4 Sep 2024 07:22:07 +0000 (UTC)

 On Wed, 4 Sep 2024,  xover2391@hush.com via gnats wrote:

 > I still want to extend things so that each remote host/device has
 > its syslog messages put into a separate file, so I tried replacing
 > the "-@" line with "+192.168.1.200". After doing that (and
 > rebooting the NetBSD server) the syslog messages from 192.168.1.200
 > are not saved anywhere. Clearly, those messages are not local, but
 > they are also not identified as "being from" 192.168.1.200. So I
 > changed the line back to "-@" and ran the tcpdump command you
 > mentioned above.
 > 
 > netbsd1# tcpdump -Alnt -i re0 host 192.168.1.200 and udp dst port syslog
 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 > listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes
 > IP 192.168.1.200.514 > 192.168.1.100.514: SYSLOG user.info, length: 154
 > E.....@.@.................k.<14> Sep  4 14:57:10 192.168.1.200-1 USER_MGR[44365908]: user_mgr_util.c(1638) 9758 %% HTTP Session 46 ended for user admin connected from 192.168.1.210
 > .
 > ^C

 The "hostname" is `192.168.1.200-1', so:

 > # HP network switch
 > +192.168.1.200
 > *.*						/var/log/host-192.168.1.200
 >

 ```
 # HP network switch
 +192.168.1.200-1				/var/log/host-192.168.1.200
 ```

 Because IP addresses can change, the RFCs prefer to use either a hostname
 or some other unique token to key on.

 Not sure what syslogd does when the hostname is `-' (unspecified). I'll have
 to look at the code. Maybe this weekend...

 -RVP

From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 4 Sep 2024 07:31:29 +0000 (UTC)

 On Wed, 4 Sep 2024,  RVP  via gnats wrote:

 > ```
 > # HP network switch
 > +192.168.1.200-1				/var/log/host-192.168.1.200
 > ```
 >

 Sorry--that should of course be:

 ```
 +192.168.1.200-1
 *.*						/var/log/host-192.168.1.200
 ```

 -RVP

From: xover2391@hush.com
To: "RVP" <rvp@sdf.org>, gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 04 Sep 2024 07:37:02 +0000

 On 9/4/2024 at 7:22 AM, "RVP" <rvp@SDF.ORG> wrote:
 >
 >On Wed, 4 Sep 2024,  xover2391@hush.com via gnats wrote:
 >
 >> I still want to extend things so that each remote host/device 
 >has its syslog messages put into a separate file, so I tried 
 >replacing the "-@" line with "+192.168.1.200". After doing that 
 >(and rebooting the NetBSD server) the syslog messages from 
 >192.168.1.200 are not saved anywhere. Clearly, those messages are 
 >not local, but they are also not identified as "being from" 
 >192.168.1.200. So I changed the line back to "-@" and ran the 
 >tcpdump command you mentioned above.
 >>
 >> netbsd1# tcpdump -Alnt -i re0 host 192.168.1.200 and udp dst 
 >port syslog
 >> tcpdump: verbose output suppressed, use -v or -vv for full 
 >protocol decode
 >> listening on re0, link-type EN10MB (Ethernet), capture size 
 >262144 bytes
 >> IP 192.168.1.200.514 > 192.168.1.100.514: SYSLOG user.info, 
 >length: 154
 >> E.....@.@.................k.<14> Sep  4 14:57:10 192.168.1.200-1 
 >USER_MGR[44365908]: user_mgr_util.c(1638) 9758 %% HTTP Session 46 
 >ended for user admin connected from 192.168.1.210
 >> .
 >> ^C
 >
 >The "hostname" is `192.168.1.200-1', so:
 >
 >> # HP network switch
 >> +192.168.1.200
 >> *.*						/var/log/host-192.168.1.200
 >>
 >
 >```
 ># HP network switch
 >+192.168.1.200-1				/var/log/host-192.168.1.200
 >```
 >
 >Because IP addresses can change, the RFCs prefer to use either a 
 >hostname
 >or some other unique token to key on.
 >
 >Not sure what syslogd does when the hostname is `-' (unspecified). 
 >I'll have
 >to look at the code. Maybe this weekend...
 >
 >-RVP


 Many thanks for the suggestion, but it didn't work when I changed it to


 +192.168.1.200-1
 *.*                                             /var/log/host-192.168.1.200


 The syslog messages from the HP network switch are still being saved
 to /var/log/foreign but there's nothing in /var/log/host-192.168.1.200

From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc: xover2391@hush.com
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 4 Sep 2024 07:45:27 +0000 (UTC)

 On Wed, 4 Sep 2024,  xover2391@hush.com via gnats wrote:

 > Many thanks for the suggestion, but it didn't work when I changed it to
 >
 >
 > +192.168.1.200-1
 > *.*                                             /var/log/host-192.168.1.200
 >

 Ah, I was afraid of that happening. With that weird hostname, it would have to
 be just `+192' I guess (the domain names are discarded). Can you configure a
 proper hostname on this switch?

 -RVP

From: xover2391@hush.com
To: "RVP" <rvp@sdf.org>, gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Mon, 09 Sep 2024 01:50:18 +0000

 On 9/4/2024 at 7:45 AM, "RVP" <rvp@SDF.ORG> wrote:
 >
 >On Wed, 4 Sep 2024,  xover2391@hush.com via gnats wrote:
 >
 >> Many thanks for the suggestion, but it didn't work when I 
 >changed it to
 >>
 >>
 >> +192.168.1.200-1
 >> *.*                                             /var/log/host-
 >192.168.1.200
 >>
 >
 >Ah, I was afraid of that happening. With that weird hostname, it 
 >would have to
 >be just `+192' I guess (the domain names are discarded). Can you 
 >configure a
 >proper hostname on this switch?
 >
 >-RVP


 I don't believe so. The only place I can do anything like that is on
 the "home page" of the network switch (that page is called the
 "Dashboard") in the System Name field. However, I've tried entering
 something into that field previously, and the syslog message it sends
 to the NetBSD server still contains 192.168.1.200-1 in the message
 and no mention of what I entered into that field. This is in contrast
 to just one of the routers I have here (a Draytek Vigor model) where
 I can set the "Router Name" that then appears in the syslog messages
 it sends to the NetBSD server.

 Here is an example of that (the following messages are being saved to
 /var/log/host-192.168.1.207 because of the "+192.168.1.207" block
 specifier in /etc/syslog.conf):

 (With the Draytek "Router Name" set to blank, which is the factory
 default setting)

 <local2.info>Sep  9 10:50:29 192.168.1.207 Vigor: [WEB]System Reboot

 (And this is with the Draytek "Router Name" set to "draytek2024")
 <local2.info>Sep  9 10:53:11 192.168.1.207 draytek2024: [WEB]System Reboot


 Considering the NetBSD server was saving both of those messages to
 the same file and was effectively ignoring the Draytek hostname, I
 wondered if the fourth field (192.168.1.207) was what it was basing
 its decisions on. Once again, here is an example of a syslog message
 from the network switch:

 <user.info>Sep  9 11:23:37 Sep -:  9 11:23:37 192.168.1.200-1 USER_MGR[26109764]: user_mgr_util.c(1588) 1178 %% HTTP Session 8 started for user admin connected from 192.168.1.220

 So I changed the block specifier in /etc/syslog.conf from:

 +192.168.1.200

 to what is in the fourth field of this switch's syslog message:

 +Sep

 and now the syslog messages from the network switch are being saved
 in the /var/log/host-192.168.1.200 file.

 Obviously, this is not a good result for so many reasons, but it is a
 result nonetheless. I believe it also supports what you said early on
 that the syslog messages from this network switch seem to be
 malformed. I assume what you mean by that is that they do not conform
 to some RFC or IETF standard.

 I am going to look more closely at the fourth field from each of the
 seven routers I set up for this, the other network switch, and the
 Synology unit. I expect to find the IP address in the fourth field
 for each of the seven routers, but something else from the other
 network switch and the Synology unit, to explain why the syslog
 messages from the seven routers are being saved to their respective
 separate files, but the syslog messages from the other network switch
 and the Synology unit are not.

From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Mon, 09 Sep 2024 04:30:31 +0000

 Of the ten devices I configured for testing, I can confirm that all
 seven of the routers have their respective IP address in the fourth
 field of any syslog message saved by the NetBSD server.

 I can confirm that the Synology unit (which has its System Name set
 to "nas") has "nas" in the fourth field of any syslog message saved
 by the NetBSD server instead of its IP address, regardless of whether
 the Synology was sending the syslog messages in BSD form or IETF
 form. All I had to do was to alter the block specifier to "+nas" in
 /etc/syslog.conf, and the Synology's syslog messages were then being
 written to the file I specified.

 I can confirm that the other network switch (not a HP unit like the
 first one is) has the three character month abbreviation of its local
 time in the fourth field, just as the HP network switch has. I am
 surprised to see the same behaviour from two different network switch
 manufacturers. By changing the block specifier to "+<Month>", the
 syslog messages from either network switch could be saved to a
 separate file from the other messages, but not separate from each
 other. Not a good workaround, for so many reasons.

 In any case, it seems as if the original reason for opening this bug
 report has been solved. For the example I listed in the
 syslog.conf(5) man page to work correctly, the NetBSD server needs to
 have a hostname set (I eventually did that in /etc/rc.conf) and with
 the use of the "+@", "-@", and "+<IP address>" or "+<hostname>" or
 "+<whatever is in the fourth field of a syslog message from a remote
 device>" block specifiers, syslog messages from different devices can
 be saved to different files.

 This bug report can be closed. Thanks to all who assisted.

From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Mon, 09 Sep 2024 03:32:38 +0000

 Of the ten devices I configured for testing, I can confirm that all
 seven of the routers have their respective IP address in the fourth
 field of any syslog message saved by the NetBSD server.

 I can confirm that the Synology unit (which has its System Name set
 to "nas") has "nas" in the fourth field of any syslog message saved
 by the NetBSD server instead of its IP address, regardless of whether
 the Synology was sending the syslog messages in BSD form or IETF
 form. All I had to do was to alter the block specifier to "+nas" in
 /etc/syslog.conf, and the Synology's syslog messages were then being
 written to the file I specified.

 I can confirm that the other network switch (not a HP unit like the
 first one is) has the three character month abbreviation of its local
 time in the fourth field, just as the HP network switch has. I am
 surprised to see the same behaviour from two different network switch
 manufacturers. By changing the block specifier to "+<Month>", the
 syslog messages from either network switch could be saved to a
 separate file from the other messages, but not separate from each
 other. Not a good workaround, for so many reasons.

 In any case, it seems as if the original reason for opening this bug
 report has been solved. For the example I listed in the
 syslog.conf(5) man page to work correctly, the NetBSD server needs to
 have a hostname set (I eventually did that in /etc/rc.conf) and with
 the use of the "+@", "-@", and "+<IP address>" or "+<hostname>" or
 "+<whatever is in the fourth field of a syslog message from a remote
 device>" block specifiers, syslog messages from different devices can
 be saved to different files.

 This bug report can be closed. Thanks to all who assisted.

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.