NetBSD Problem Report #58558
From www@netbsd.org Wed Aug 7 05:31:04 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 553901A923A
for <gnats-bugs@gnats.NetBSD.org>; Wed, 7 Aug 2024 05:31:04 +0000 (UTC)
Message-Id: <20240807053102.F3ECF1A923C@mollari.NetBSD.org>
Date: Wed, 7 Aug 2024 05:31:02 +0000 (UTC)
From: xover2391@hush.com
Reply-To: xover2391@hush.com
To: gnats-bugs@NetBSD.org
Subject: syslog.conf(5) man page example does not work.
X-Send-Pr-Version: www-1.0
>Number: 58558
>Category: bin
>Synopsis: syslog.conf(5) man page example does not work.
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Aug 07 05:35:00 +0000 2024
>Last-Modified: Mon Sep 09 09:53:54 +0000 2024
>Originator: Archie
>Release: 10.0
>Organization:
>Environment:
NetBSD 10.0 NetBSD 10.0 (GENERIC) #0: Thu Mar 28 08:33:33 UTC 2024 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
I have been trying to get syslogd to save messages sent to it from a
remote device, to a separate file. I created the following thread in
the netbsd-sers mailing list to ask for assistance:
https://mail-index.netbsd.org/netbsd-users/2024/07/24/msg031511.html
Some suggestions were provided, but did not resolve the issue. I then
tried to use an example from the EXAMPLES section of the
syslog.conf(5) man page, which did not work as expected. I documented
what I did in the following post of the same thread:
https://mail-index.netbsd.org/netbsd-users/2024/07/31/msg031578.html
Here is a copy of the text in that post:
**********************************************************************
I decided to try one of the examples given near the end of the
syslog.conf(5) man page. I removed the alterations I had made to the
/etc/syslog.conf file, and appended the following example instead:
# Save non-local log messages from all programs to a separate file.
!*
-@
*.* /var/log/foreign
I then created the /var/log/foreign file with:
touch /var/log/foreign
Lastly, I rebooted the NetBSD server and logged in.
The /var/log/messages file contained the usual stuff, but also the
messages from the remote device (192.168.1.200) which I was not
expecting.
The /var/log/foreign file contained everything logged in
/var/log/messages, /var/log/maillog, /var/log/authlog, and the
messages from the remote device (192.168.1.200). Definitely wasn't
expecting that.
So, unless I'm doing something very wrong, something with the syslog
system doesn't seem to be working as it should.
**********************************************************************
The problem I was originally trying to solve (having the syslog
messages from a remote device written to a separate file) and the
problem with the example from the EXAMPLES section of the
syslog.conf(5) man page might be interconnected. Solving one might
solve the other.
>How-To-Repeat:
- Configure a device to send syslog messages to the IP address of the
NetBSD server (192.168.1.100). In my case it was a HP
network/ethernet switch with the latest available firmware.
- Perform a fresh install of NetBSD 10/amd64.
- Append the following line to rc.conf:
syslogd_flags="-n -S -T -v -v"
- Create a suitable /etc/ifconfig.<if> file on the NetBSD server. In
my case it was ifconfig.re0 and its contents were:
inet 192.168.1.100 netmask 0xffffff00 tso4 ip4csum udp4csum tcp4csum
- Append the following (taken from the EXAMPLES section of the
syslog.conf(5) man page) to the /etc/syslog.conf file:
# Save non-local log messages from all programs to a separate file.
!*
-@
*.* /var/log/foreign
- Create the required file manually (in case syslogd wouldn't)
# touch /var/log/foreign
- Reboot the NetBSD server.
- Login and inspect the recently written /var/log files.
- /var/log/messages contains syslog messages from the remote device,
which it shouldn't have.
- /var/log/foreign contains syslog messages from the remote device,
but it also contains everything logged in /var/log/messages,
/var/log/maillog, /var/log/authlog, and /var/log/cron, which it
shouldn't have.
>Fix:
>Release-Note:
>Audit-Trail:
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 7 Aug 2024 06:21:52 -0000 (UTC)
xover2391@hush.com writes:
># Save non-local log messages from all programs to a separate file.
>!*
>-@
>*.* /var/log/foreign
Are you aware that the selector (left side) and action (right side)
need to be separated by TAB characters, not spaces ?
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 7 Aug 2024 07:08:09 +0000 (UTC)
On Wed, 7 Aug 2024, xover2391@hush.com wrote:
> # Save non-local log messages from all programs to a separate file.
> !*
> -@
> *.* /var/log/foreign
>
There is PR #47529 which _looks_ almost like this PR, except, close reading
of syslog.conf(5) suggests that the duplicate copies should be expected with
the config. file you've shown. Ie. by default, messages will "cascade" to
multiple files unless stopped by other rules or using the `-U' flag to syslogd.
Here's a syslog.conf which does work for separating outputs from other hosts
to a different file (works around PR #47529 too):
```
# $NetBSD: syslog.conf,v 1.9 2004/07/23 03:45:42 mycroft Exp $
+@
*.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console
*.info;auth,authpriv,cron,ftp,kern,lpr,mail.none /var/log/messages
kern.debug /var/log/messages
# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
auth,authpriv.info /var/log/authlog
cron.info /var/log/cron
ftp.info /var/log/xferlog
lpr.info /var/log/lpd-errs
mail.info /var/log/maillog
#uucp.info /var/spool/uucp/ERRORS
*.emerg *
#*.notice root
!*
+192.168.68.171,qemu
*.* /var/log/host1.log
```
The only additions from the default syslog.conf file are the:
+@
and:
!*
+192.168.68.171,qemu
*.* /var/log/host1.log
The `+@' hostname-spec causes the rules following it to be applied _only_ to
the local host. This duplicates the functionality of the default config. file.
The other block then sends all output from the named host(s) to a separate
file.
But, for this to work (I've just tested this), the remote host has to send
well formed syslog data to the syslogd program on NetBSD. In my test the remote
host ("qemu") was also NetBSD and the messages in `/var/log/host1.log' look
like this:
```
<auth.info>Aug 7 06:29:02 qemu sshd[327]: Server listening on :: port 22.
<auth.info>Aug 7 06:29:02 qemu sshd[327]: Server listening on 0.0.0.0 port 22.
<user.debug>Aug 7 06:29:02 qemu sshd: bl_init: connect failed for `/var/run/blacklistd.sock' (No such file or directory)
<mail.info>Aug 7 06:29:02 qemu postfix/postfix-script[466]: starting the Postfix mail system
<mail.info>Aug 7 06:29:02 qemu postfix/master[479]: daemon started -- version 3.8.4, configuration /etc/postfix
<auth.notice>Aug 7 06:29:36 qemu login: ROOT LOGIN (root) on tty constty
<cron.info>Aug 7 06:30:43 qemu cron[549]: (root) CMD START (/usr/libexec/atrun)
<cron.info>Aug 7 06:30:43 qemu cron[537]: (root) CMD FINISH (/usr/libexec/atrun)
```
The message you posted on netbsd-users@ looks malformed:
```
<user.info>Aug 7 10:40:08 Aug -: 7 10:40:08 192.168.1.200-1 USER_MGR[44365908]: user_mgr_util.c(1588) 5098 %% HTTP Session 30 started for user admin connected from 192.168.1.210
```
Don't know if it's a bug in syslogd which's responsible or it's the sender who's
responsible.
Can you do a tcpdump like this and show the output?
```
root# tcpdump -Alnt -i <IF> host 192.168.1.200 and udp dst port syslog
```
-RVP
From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 07 Aug 2024 13:23:53 +0000
On 8/7/2024 at 6:25 AM, "Michael van Elst" <mlelstv@serpens.de> wrote:
>
>The following reply was made to PR bin/58558; it has been noted by
>GNATS.
>
>From: mlelstv@serpens.de (Michael van Elst)
>To: gnats-bugs@netbsd.org
>Cc:
>Subject: Re: bin/58558: syslog.conf(5) man page example does not
>work.
>Date: Wed, 7 Aug 2024 06:21:52 -0000 (UTC)
>
> xover2391@hush.com writes:
>
> ># Save non-local log messages from all programs to a separate
>file.
> >!*
> >-@
> >*.* /var/log/foreign
>
>
> Are you aware that the selector (left side) and action (right
>side)
> need to be separated by TAB characters, not spaces ?
Yes, I am aware of this. Of the four lines I added to
/etc/syslog.conf, I am assuming that it only matters to the last one,
and the space between the *.* and /var/log/foreign is tabs not
spaces.
From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: [Suspected Junk Mail] Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 07 Aug 2024 13:42:13 +0000
On 8/7/2024 at 7:10 AM, "RVP" <rvp@SDF.ORG> wrote:
>
>The following reply was made to PR bin/58558; it has been noted by
>GNATS.
>
>From: RVP <rvp@SDF.ORG>
>To: gnats-bugs@netbsd.org
>Cc:
>Subject: Re: bin/58558: syslog.conf(5) man page example does not
>work.
>Date: Wed, 7 Aug 2024 07:08:09 +0000 (UTC)
>
> On Wed, 7 Aug 2024, xover2391@hush.com wrote:
>
> > # Save non-local log messages from all programs to a separate
>file.
> > !*
> > -@
> > *.* /var/log/foreign
> >
>
> There is PR #47529 which _looks_ almost like this PR, except, close
> reading of syslog.conf(5) suggests that the duplicate copies should
> be expected with the config. file you've shown. Ie. by default,
> messages will "cascade" to multiple files unless stopped by other
> rules or using the `-U' flag to syslogd.
>
> Here's a syslog.conf which does work for separating outputs from
> other hosts to a different file (works around PR #47529 too):
>
> ```
> # $NetBSD: syslog.conf,v 1.9 2004/07/23 03:45:42 mycroft Exp $
>
> +@
> *.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console
> *.info;auth,authpriv,cron,ftp,kern,lpr,mail.none /var/log/messages
> kern.debug /var/log/messages
>
> # The authpriv log file should be restricted access; these
> # messages shouldn't go to terminals or publically-readable
> # files.
> auth,authpriv.info /var/log/authlog
>
> cron.info /var/log/cron
> ftp.info /var/log/xferlog
> lpr.info /var/log/lpd-errs
> mail.info /var/log/maillog
> #uucp.info /var/spool/uucp/ERRORS
>
> *.emerg *
> #*.notice root
>
> !*
> +192.168.68.171,qemu
> *.* /var/log/host1.log
> ```
>
> The only additions from the default syslog.conf file are the:
>
> +@
>
> and:
>
> !*
> +192.168.68.171,qemu
> *.* /var/log/host1.log
>
> The `+@' hostname-spec causes the rules following it to be applied
> _only_ to the local host. This duplicates the functionality of the
> default config. file.
>
> The other block then sends all output from the named host(s) to a
> separate file.
>
> But, for this to work (I've just tested this), the remote host has
> to send well formed syslog data to the syslogd program on
> NetBSD. In my test the remote host ("qemu") was also NetBSD and the
> messages in `/var/log/host1.log' look like this:
>
> ```
> <auth.info>Aug 7 06:29:02 qemu sshd[327]: Server listening on ::
>port 22.
> <auth.info>Aug 7 06:29:02 qemu sshd[327]: Server listening on
>0.0.0.0 port 22.
> <user.debug>Aug 7 06:29:02 qemu sshd: bl_init: connect failed
>for `/var/run/blacklistd.sock' (No such file or directory)
> <mail.info>Aug 7 06:29:02 qemu postfix/postfix-script[466]:
>starting the Postfix mail system
> <mail.info>Aug 7 06:29:02 qemu postfix/master[479]: daemon
>started -- version 3.8.4, configuration /etc/postfix
> <auth.notice>Aug 7 06:29:36 qemu login: ROOT LOGIN (root) on tty
>constty
> <cron.info>Aug 7 06:30:43 qemu cron[549]: (root) CMD START
>(/usr/libexec/atrun)
> <cron.info>Aug 7 06:30:43 qemu cron[537]: (root) CMD FINISH
>(/usr/libexec/atrun)
> ```
>
> The message you posted on netbsd-users@ looks malformed:
>
> ```
> <user.info>Aug 7 10:40:08 Aug -: 7 10:40:08 192.168.1.200-1
>USER_MGR[44365908]: user_mgr_util.c(1588) 5098 %% HTTP Session 30
>started for user admin connected from 192.168.1.210
> ```
>
> Don't know if it's a bug in syslogd which's responsible or it's the
> sender who's responsible.
>
> Can you do a tcpdump like this and show the output?
>
> ```
> root# tcpdump -Alnt -i <IF> host 192.168.1.200 and udp dst port
>syslog
> ```
>
> -RVP
I appreciate the pointer to PR# 47529. I did perform a Query PR prior
to doing a Send PR, but not knowing what to search for, all I did was
to put a single keyword "syslogd" in the relevant search field. Very
few of the results returned were directly related to syslogd, and I
didn't inspect each and every one of them. I mainly looked for the
dates to have been within the last two years or so.
I'm happy to defer to your knowledge on whether a syslog message is
malformed, and I'd put money on it being the remote device (the HP
switch, which is running some kind of embedded Linux from HP, of
course) that's responsible. Yes, I can do a tcpdump like what you've
shown, when I'm on-site next week. Thanks for the suggestion.
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 7 Aug 2024 14:31:03 -0000 (UTC)
xover2391@hush.com writes:
>Yes, I am aware of this. Of the four lines I added to /etc/syslog.conf, I am assuming that it only matters to the last one, and the space between the *.* and /var/log/foreign is tabs not spaces.
I have configured something similar (netbsd-10/i386) and it just works.
One difference is that I don't use the !* program specification. It's
+@
... local rules here ...
-@
... remote rules here ...
And I tested that adding !* like in the example doesn't change the behaviour.
From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Fri, 09 Aug 2024 06:03:40 +0000
On 8/7/2024 at 2:35 PM, "Michael van Elst" <mlelstv@serpens.de> wrote:
>
>The following reply was made to PR bin/58558; it has been noted by
>GNATS.
>
>From: mlelstv@serpens.de (Michael van Elst)
>To: gnats-bugs@netbsd.org
>Cc:
>Subject: Re: bin/58558: syslog.conf(5) man page example does not
>work.
>Date: Wed, 7 Aug 2024 14:31:03 -0000 (UTC)
>
> xover2391@hush.com writes:
>
> >Yes, I am aware of this. Of the four lines I added to
>/etc/syslog.conf, I am assuming that it only matters to the last
>one, and the space between the *.* and /var/log/foreign is tabs
>not spaces.
>
> I have configured something similar (netbsd-10/i386) and it just
>works.
> One difference is that I don't use the !* program specification.
>It's
>
> +@
> ... local rules here ...
> -@
> ... remote rules here ...
>
> And I tested that adding !* like in the example doesn't change
>the behaviour.
Although I'm trying to get the syslog messages from a HP network
switch written to a separate file in /var/log on a NetBSD-10/amd64
server, I'm happy to try different things to try and figure out
what's going wrong with that. I can do what you've suggested, and
also try doing it from a computer running NetBSD, and to a server
running NetBSD/i386, to see if I can get the same results. If I can
get success with that, I can then try and sort out the problem with
the HP switch.
I can try this out next week when I am back on-site.
Thanks.
From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 04 Sep 2024 07:04:35 +0000
On 8/7/2024 at 7:10 AM, "RVP" <rvp@SDF.ORG> wrote:
>
>The following reply was made to PR bin/58558; it has been noted by
>GNATS.
>
>From: RVP <rvp@SDF.ORG>
>To: gnats-bugs@netbsd.org
>Cc:
>Subject: Re: bin/58558: syslog.conf(5) man page example does not
>work.
>Date: Wed, 7 Aug 2024 07:08:09 +0000 (UTC)
>
> On Wed, 7 Aug 2024, xover2391@hush.com wrote:
>
> > # Save non-local log messages from all programs to a separate
>file.
> > !*
> > -@
> > *.* /var/log/foreign
> >
>
> There is PR #47529 which _looks_ almost like this PR, except,
>close reading
> of syslog.conf(5) suggests that the duplicate copies should be
>expected with
> the config. file you've shown. Ie. by default, messages will
>"cascade" to
> multiple files unless stopped by other rules or using the `-U'
>flag to syslogd.
>
> Here's a syslog.conf which does work for separating outputs from
>other hosts
> to a different file (works around PR #47529 too):
>
> ```
> # $NetBSD: syslog.conf,v 1.9 2004/07/23 03:45:42 mycroft Exp $
>
> +@
> *.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console
> *.info;auth,authpriv,cron,ftp,kern,lpr,mail.none /var/log/messages
> kern.debug /var/log/messages
>
> # The authpriv log file should be restricted access; these
> # messages shouldn't go to terminals or publically-readable
> # files.
> auth,authpriv.info /var/log/authlog
>
> cron.info /var/log/cron
> ftp.info /var/log/xferlog
> lpr.info /var/log/lpd-errs
> mail.info /var/log/maillog
> #uucp.info /var/spool/uucp/ERRORS
>
> *.emerg *
> #*.notice root
>
> !*
> +192.168.68.171,qemu
> *.* /var/log/host1.log
> ```
>
> The only additions from the default syslog.conf file are the:
>
> +@
>
> and:
>
> !*
> +192.168.68.171,qemu
> *.* /var/log/host1.log
>
> The `+@' hostname-spec causes the rules following it to be
>applied _only_ to
> the local host. This duplicates the functionality of the default
>config. file.
>
> The other block then sends all output from the named host(s) to a
>separate
> file.
>
> But, for this to work (I've just tested this), the remote host
>has to send
> well formed syslog data to the syslogd program on NetBSD. In my
>test the remote
> host ("qemu") was also NetBSD and the messages in
>`/var/log/host1.log' look
> like this:
>
> ```
> <auth.info>Aug 7 06:29:02 qemu sshd[327]: Server listening on ::
>port 22.
> <auth.info>Aug 7 06:29:02 qemu sshd[327]: Server listening on
>0.0.0.0 port 22.
> <user.debug>Aug 7 06:29:02 qemu sshd: bl_init: connect failed
>for `/var/run/blacklistd.sock' (No such file or directory)
> <mail.info>Aug 7 06:29:02 qemu postfix/postfix-script[466]:
>starting the Postfix mail system
> <mail.info>Aug 7 06:29:02 qemu postfix/master[479]: daemon
>started -- version 3.8.4, configuration /etc/postfix
> <auth.notice>Aug 7 06:29:36 qemu login: ROOT LOGIN (root) on tty
>constty
> <cron.info>Aug 7 06:30:43 qemu cron[549]: (root) CMD START
>(/usr/libexec/atrun)
> <cron.info>Aug 7 06:30:43 qemu cron[537]: (root) CMD FINISH
>(/usr/libexec/atrun)
> ```
>
> The message you posted on netbsd-users@ looks malformed:
>
> ```
> <user.info>Aug 7 10:40:08 Aug -: 7 10:40:08 192.168.1.200-1
>USER_MGR[44365908]: user_mgr_util.c(1588) 5098 %% HTTP Session 30
>started for user admin connected from 192.168.1.210
> ```
>
> Don't know if it's a bug in syslogd which's responsible or it's
>the sender who's
> responsible.
>
> Can you do a tcpdump like this and show the output?
>
> ```
> root# tcpdump -Alnt -i <IF> host 192.168.1.200 and udp dst port
>syslog
> ```
>
> -RVP
Apologies that it has taken me so long to be able to get you the info
you requested. There has been some progress on this issue which I
detailed in a separate message in this thread, relating to the
setting of a hostname for the NetBSD server. After setting the NetBSD
server hostname, and altering /etc/syslog.conf to include a "+@" line
near the top and a "-@" line near the bottom, syslogd now puts the
non-local/remote syslog messages into a separate file, which is a
good start.
I still want to extend things so that each remote host/device has its
syslog messages put into a separate file, so I tried replacing the
"-@" line with "+192.168.1.200". After doing that (and rebooting the
NetBSD server) the syslog messages from 192.168.1.200 are not saved
anywhere. Clearly, those messages are not local, but they are also
not identified as "being from" 192.168.1.200. So I changed the line
back to "-@" and ran the tcpdump command you mentioned above.
netbsd1# tcpdump -Alnt -i re0 host 192.168.1.200 and udp dst port syslog
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.1.200.514 > 192.168.1.100.514: SYSLOG user.info, length: 154
E.....@.@.................k.<14> Sep 4 14:57:10 192.168.1.200-1 USER_MGR[44365908]: user_mgr_util.c(1638) 9758 %% HTTP Session 46 ended for user admin connected from 192.168.1.210
.
^C
1 packet captured
23 packets received by filter
0 packets dropped by kernel
netbsd1#
I also configured a total of nine other devices (seven routers, one
different network switch, and a Synology NAS unit) to send their
syslog messages to the NetBSD server. The /etc/syslog.conf file now
looks like this (The only differences are line 3 which has "+@" and
everything from the line that has "-@" until End Of File):
# $NetBSD: syslog.conf,v 1.9 2004/07/23 03:45:42 mycroft Exp $
+@
*.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console
*.info;auth,authpriv,cron,ftp,kern,lpr,mail.none /var/log/messages
kern.debug /var/log/messages
# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
auth,authpriv.info /var/log/authlog
cron.info /var/log/cron
ftp.info /var/log/xferlog
lpr.info /var/log/lpd-errs
mail.info /var/log/maillog
#uucp.info /var/spool/uucp/ERRORS
*.emerg *
#*.notice root
-@
*.* /var/log/foreign
# HP network switch
+192.168.1.200
*.* /var/log/host-192.168.1.200
# Other network switch
+192.168.1.201
*.* /var/log/host-192.168.1.201
# DrayTek router
+192.168.1.202
*.* /var/log/host-192.168.1.202
# NetComm router 1
+192.168.1.203
*.* /var/log/host-192.168.1.203
# NetComm router 2
+192.168.1.204
*.* /var/log/host-192.168.1.204
# Sonicwall router
+192.168.1.205
*.* /var/log/host-192.168.1.205
# TP-Link router
+192.168.1.206
*.* /var/log/host-192.168.1.206
# Netgear router
+192.168.1.207
*.* /var/log/host-192.168.1.207
# Sagemcom router
+192.168.1.208
*.* /var/log/host-192.168.1.208
# Synology NAS
+192.168.1.209
*.* /var/log/host-192.168.1.209
The NetBSD server is saving the syslog messages from each of the
seven routers to their respective /var/log/host-192.168.1.20x files
as well as to the /var/log/foreign file. It is not saving the syslog
messages from the two network switches or the Synology NAS unit to
their respective files, even though it is saving them to the
/var/log/foreign file (at least it recognises that they're "not
local"). I'm not sure if a tcpdump of a syslog message from the
Synology NAS or the other network switch would be useful, but I can
provide that if requested.
The Synology NAS unit has the option to send its syslog messages in
either "BSD (RFC 3164)" or "IETF (RFC 5424)" format. I can see the
difference in the syslog message structure of either format from that
unit as they are saved in the /var/log/foreign file, but neither
format results in the saving of the messages in the
/var/log/host-192.168.1.209 file.
Hints, tips, or suggestions are welcome. Thanks.
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc: xover2391@hush.com
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 4 Sep 2024 07:22:07 +0000 (UTC)
On Wed, 4 Sep 2024, xover2391@hush.com via gnats wrote:
> I still want to extend things so that each remote host/device has
> its syslog messages put into a separate file, so I tried replacing
> the "-@" line with "+192.168.1.200". After doing that (and
> rebooting the NetBSD server) the syslog messages from 192.168.1.200
> are not saved anywhere. Clearly, those messages are not local, but
> they are also not identified as "being from" 192.168.1.200. So I
> changed the line back to "-@" and ran the tcpdump command you
> mentioned above.
>
> netbsd1# tcpdump -Alnt -i re0 host 192.168.1.200 and udp dst port syslog
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes
> IP 192.168.1.200.514 > 192.168.1.100.514: SYSLOG user.info, length: 154
> E.....@.@.................k.<14> Sep 4 14:57:10 192.168.1.200-1 USER_MGR[44365908]: user_mgr_util.c(1638) 9758 %% HTTP Session 46 ended for user admin connected from 192.168.1.210
> .
> ^C
The "hostname" is `192.168.1.200-1', so:
> # HP network switch
> +192.168.1.200
> *.* /var/log/host-192.168.1.200
>
```
# HP network switch
+192.168.1.200-1 /var/log/host-192.168.1.200
```
Because IP addresses can change, the RFCs prefer to use either a hostname
or some other unique token to key on.
Not sure what syslogd does when the hostname is `-' (unspecified). I'll have
to look at the code. Maybe this weekend...
-RVP
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 4 Sep 2024 07:31:29 +0000 (UTC)
On Wed, 4 Sep 2024, RVP via gnats wrote:
> ```
> # HP network switch
> +192.168.1.200-1 /var/log/host-192.168.1.200
> ```
>
Sorry--that should of course be:
```
+192.168.1.200-1
*.* /var/log/host-192.168.1.200
```
-RVP
From: xover2391@hush.com
To: "RVP" <rvp@sdf.org>, gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 04 Sep 2024 07:37:02 +0000
On 9/4/2024 at 7:22 AM, "RVP" <rvp@SDF.ORG> wrote:
>
>On Wed, 4 Sep 2024, xover2391@hush.com via gnats wrote:
>
>> I still want to extend things so that each remote host/device
>has its syslog messages put into a separate file, so I tried
>replacing the "-@" line with "+192.168.1.200". After doing that
>(and rebooting the NetBSD server) the syslog messages from
>192.168.1.200 are not saved anywhere. Clearly, those messages are
>not local, but they are also not identified as "being from"
>192.168.1.200. So I changed the line back to "-@" and ran the
>tcpdump command you mentioned above.
>>
>> netbsd1# tcpdump -Alnt -i re0 host 192.168.1.200 and udp dst
>port syslog
>> tcpdump: verbose output suppressed, use -v or -vv for full
>protocol decode
>> listening on re0, link-type EN10MB (Ethernet), capture size
>262144 bytes
>> IP 192.168.1.200.514 > 192.168.1.100.514: SYSLOG user.info,
>length: 154
>> E.....@.@.................k.<14> Sep 4 14:57:10 192.168.1.200-1
>USER_MGR[44365908]: user_mgr_util.c(1638) 9758 %% HTTP Session 46
>ended for user admin connected from 192.168.1.210
>> .
>> ^C
>
>The "hostname" is `192.168.1.200-1', so:
>
>> # HP network switch
>> +192.168.1.200
>> *.* /var/log/host-192.168.1.200
>>
>
>```
># HP network switch
>+192.168.1.200-1 /var/log/host-192.168.1.200
>```
>
>Because IP addresses can change, the RFCs prefer to use either a
>hostname
>or some other unique token to key on.
>
>Not sure what syslogd does when the hostname is `-' (unspecified).
>I'll have
>to look at the code. Maybe this weekend...
>
>-RVP
Many thanks for the suggestion, but it didn't work when I changed it to
+192.168.1.200-1
*.* /var/log/host-192.168.1.200
The syslog messages from the HP network switch are still being saved
to /var/log/foreign but there's nothing in /var/log/host-192.168.1.200
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc: xover2391@hush.com
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 4 Sep 2024 07:45:27 +0000 (UTC)
On Wed, 4 Sep 2024, xover2391@hush.com via gnats wrote:
> Many thanks for the suggestion, but it didn't work when I changed it to
>
>
> +192.168.1.200-1
> *.* /var/log/host-192.168.1.200
>
Ah, I was afraid of that happening. With that weird hostname, it would have to
be just `+192' I guess (the domain names are discarded). Can you configure a
proper hostname on this switch?
-RVP
From: xover2391@hush.com
To: "RVP" <rvp@sdf.org>, gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Mon, 09 Sep 2024 01:50:18 +0000
On 9/4/2024 at 7:45 AM, "RVP" <rvp@SDF.ORG> wrote:
>
>On Wed, 4 Sep 2024, xover2391@hush.com via gnats wrote:
>
>> Many thanks for the suggestion, but it didn't work when I
>changed it to
>>
>>
>> +192.168.1.200-1
>> *.* /var/log/host-
>192.168.1.200
>>
>
>Ah, I was afraid of that happening. With that weird hostname, it
>would have to
>be just `+192' I guess (the domain names are discarded). Can you
>configure a
>proper hostname on this switch?
>
>-RVP
I don't believe so. The only place I can do anything like that is on
the "home page" of the network switch (that page is called the
"Dashboard") in the System Name field. However, I've tried entering
something into that field previously, and the syslog message it sends
to the NetBSD server still contains 192.168.1.200-1 in the message
and no mention of what I entered into that field. This is in contrast
to just one of the routers I have here (a Draytek Vigor model) where
I can set the "Router Name" that then appears in the syslog messages
it sends to the NetBSD server.
Here is an example of that (the following messages are being saved to
/var/log/host-192.168.1.207 because of the "+192.168.1.207" block
specifier in /etc/syslog.conf):
(With the Draytek "Router Name" set to blank, which is the factory
default setting)
<local2.info>Sep 9 10:50:29 192.168.1.207 Vigor: [WEB]System Reboot
(And this is with the Draytek "Router Name" set to "draytek2024")
<local2.info>Sep 9 10:53:11 192.168.1.207 draytek2024: [WEB]System Reboot
Considering the NetBSD server was saving both of those messages to
the same file and was effectively ignoring the Draytek hostname, I
wondered if the fourth field (192.168.1.207) was what it was basing
its decisions on. Once again, here is an example of a syslog message
from the network switch:
<user.info>Sep 9 11:23:37 Sep -: 9 11:23:37 192.168.1.200-1 USER_MGR[26109764]: user_mgr_util.c(1588) 1178 %% HTTP Session 8 started for user admin connected from 192.168.1.220
So I changed the block specifier in /etc/syslog.conf from:
+192.168.1.200
to what is in the fourth field of this switch's syslog message:
+Sep
and now the syslog messages from the network switch are being saved
in the /var/log/host-192.168.1.200 file.
Obviously, this is not a good result for so many reasons, but it is a
result nonetheless. I believe it also supports what you said early on
that the syslog messages from this network switch seem to be
malformed. I assume what you mean by that is that they do not conform
to some RFC or IETF standard.
I am going to look more closely at the fourth field from each of the
seven routers I set up for this, the other network switch, and the
Synology unit. I expect to find the IP address in the fourth field
for each of the seven routers, but something else from the other
network switch and the Synology unit, to explain why the syslog
messages from the seven routers are being saved to their respective
separate files, but the syslog messages from the other network switch
and the Synology unit are not.
From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Mon, 09 Sep 2024 04:30:31 +0000
Of the ten devices I configured for testing, I can confirm that all
seven of the routers have their respective IP address in the fourth
field of any syslog message saved by the NetBSD server.
I can confirm that the Synology unit (which has its System Name set
to "nas") has "nas" in the fourth field of any syslog message saved
by the NetBSD server instead of its IP address, regardless of whether
the Synology was sending the syslog messages in BSD form or IETF
form. All I had to do was to alter the block specifier to "+nas" in
/etc/syslog.conf, and the Synology's syslog messages were then being
written to the file I specified.
I can confirm that the other network switch (not a HP unit like the
first one is) has the three character month abbreviation of its local
time in the fourth field, just as the HP network switch has. I am
surprised to see the same behaviour from two different network switch
manufacturers. By changing the block specifier to "+<Month>", the
syslog messages from either network switch could be saved to a
separate file from the other messages, but not separate from each
other. Not a good workaround, for so many reasons.
In any case, it seems as if the original reason for opening this bug
report has been solved. For the example I listed in the
syslog.conf(5) man page to work correctly, the NetBSD server needs to
have a hostname set (I eventually did that in /etc/rc.conf) and with
the use of the "+@", "-@", and "+<IP address>" or "+<hostname>" or
"+<whatever is in the fourth field of a syslog message from a remote
device>" block specifiers, syslog messages from different devices can
be saved to different files.
This bug report can be closed. Thanks to all who assisted.
From: xover2391@hush.com
To: gnats-bugs@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Mon, 09 Sep 2024 03:32:38 +0000
Of the ten devices I configured for testing, I can confirm that all
seven of the routers have their respective IP address in the fourth
field of any syslog message saved by the NetBSD server.
I can confirm that the Synology unit (which has its System Name set
to "nas") has "nas" in the fourth field of any syslog message saved
by the NetBSD server instead of its IP address, regardless of whether
the Synology was sending the syslog messages in BSD form or IETF
form. All I had to do was to alter the block specifier to "+nas" in
/etc/syslog.conf, and the Synology's syslog messages were then being
written to the file I specified.
I can confirm that the other network switch (not a HP unit like the
first one is) has the three character month abbreviation of its local
time in the fourth field, just as the HP network switch has. I am
surprised to see the same behaviour from two different network switch
manufacturers. By changing the block specifier to "+<Month>", the
syslog messages from either network switch could be saved to a
separate file from the other messages, but not separate from each
other. Not a good workaround, for so many reasons.
In any case, it seems as if the original reason for opening this bug
report has been solved. For the example I listed in the
syslog.conf(5) man page to work correctly, the NetBSD server needs to
have a hostname set (I eventually did that in /etc/rc.conf) and with
the use of the "+@", "-@", and "+<IP address>" or "+<hostname>" or
"+<whatever is in the fourth field of a syslog message from a remote
device>" block specifiers, syslog messages from different devices can
be saved to different files.
This bug report can be closed. Thanks to all who assisted.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.