Many distros use systemd-journald as main syslog. Receiving messages from it is a valuable thing to do.
To do that, a user just needs to bind to /run/systemd/journal/syslog. The problem is a misinterpretation of the message formats, leading to wrong parsing.
Many distros use systemd-journald as main syslog. Receiving messages from it is a valuable thing to do.
To do that, a user just needs to bind to `/run/systemd/journal/syslog`. The problem is a misinterpretation of the message formats, leading to wrong parsing.
instead of syslog.Automatic, user should be able to force a certain input format
(or is it "just" a bug in syslog.Automatic? perhaps it's worth reporting to gopkg.in/mcuadros/go-syslog.v2 maintainers)
See https://git.lattuga.net/boyska/circolog/src/master/cmd/circologd/main.go#L46
instead of `syslog.Automatic`, user should be able to force a certain input format
(or is it "just" a bug in syslog.Automatic? perhaps it's worth reporting to gopkg.in/mcuadros/go-syslog.v2 maintainers)
<78>May 1 20:51:02 cron[153]: (CRON) INFO (Skipping @reboot jobs -- not system startup)
and here is one generated by logger --rfc3164 (as provided by util-linux)
<13>May 1 20:51:40 myhostname root: ciao
I think the only difference is the presence of the hostname. So I wonder if that's really required by rfc3164, and whether the bug is therefore in go-syslog.v2 or in journald
some more material
here is a line generated by journald
```
<78>May 1 20:51:02 cron[153]: (CRON) INFO (Skipping @reboot jobs -- not system startup)
```
and here is one generated by `logger --rfc3164` (as provided by util-linux)
```
<13>May 1 20:51:40 myhostname root: ciao
```
I think the only difference is the presence of the hostname. So I wonder if that's really required by rfc3164, and whether the bug is therefore in `go-syslog.v2` or in `journald`
# Sent from another terminal
$ logger "ciao"
$ logger --rfc3164 "ciao"
$ logger --rfc5424 "ciao"
# Output from circolog-tail
$ ./circolog-tail
2019/05/02 14:18:56 connecting to localhost:9080
2019/05/02 14:18:56 connected! ws://localhost:9080/ws?fmt=bson
02 May 19 16:19 CEST testvm root: notice ciao
02 May 19 16:19 CEST testvm root: notice ciao
02 May 19 14:20 CEST /run/systemd/journal/dev-log : notice 1 2019-05-02T14:20:00.278040+02:00 testvm root - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="85500"] ciao
Restarting circologd with log-fmt set to auto:
~/circolog $ ./circologd -syslogd-socket /run/systemd/journal/syslog -log-fmt auto
The same experiment above works smoothly:
# From another terminal
$ logger --rfc5424 "ciao"
$ logger --rfc3164 "ciao"
$ logger "ciao"
# Output from circolog-tail
$ ./circolog-tail
2019/05/02 14:20:25 connecting to localhost:9080
2019/05/02 14:20:25 connected! ws://localhost:9080/ws?fmt=bson
02 May 19 14:20 CEST testvm root: notice ciao
02 May 19 16:20 CEST testvm root: notice ciao
02 May 19 16:20 CEST testvm root: notice ciao
I can confirm that now the messages received from `journald` are correctly parsed. In a debian stable vm, I did:
```
systemctl stop rsyslog syslog.socket; rm /run/systemd/journal/syslog
```
Then I started `circologd`, forcing the format:
```
~/circolog $ ./circologd -syslogd-socket /run/systemd/journal/syslog -log-fmt rfc3164
```
Listening with `circolog-tail` I got:
```
# Sent from another terminal
$ logger "ciao"
$ logger --rfc3164 "ciao"
$ logger --rfc5424 "ciao"
# Output from circolog-tail
$ ./circolog-tail
2019/05/02 14:18:56 connecting to localhost:9080
2019/05/02 14:18:56 connected! ws://localhost:9080/ws?fmt=bson
02 May 19 16:19 CEST testvm root: notice ciao
02 May 19 16:19 CEST testvm root: notice ciao
02 May 19 14:20 CEST /run/systemd/journal/dev-log : notice 1 2019-05-02T14:20:00.278040+02:00 testvm root - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="85500"] ciao
```
Restarting `circologd` with `log-fmt` set to auto:
```
~/circolog $ ./circologd -syslogd-socket /run/systemd/journal/syslog -log-fmt auto
```
The same experiment above works smoothly:
```
# From another terminal
$ logger --rfc5424 "ciao"
$ logger --rfc3164 "ciao"
$ logger "ciao"
# Output from circolog-tail
$ ./circolog-tail
2019/05/02 14:20:25 connecting to localhost:9080
2019/05/02 14:20:25 connected! ws://localhost:9080/ws?fmt=bson
02 May 19 14:20 CEST testvm root: notice ciao
02 May 19 16:20 CEST testvm root: notice ciao
02 May 19 16:20 CEST testvm root: notice ciao
```
Many distros use systemd-journald as main syslog. Receiving messages from it is a valuable thing to do.
To do that, a user just needs to bind to
/run/systemd/journal/syslog. The problem is a misinterpretation of the message formats, leading to wrong parsing.See https://git.lattuga.net/boyska/circolog/src/master/cmd/circologd/main.go#L46
instead of
syslog.Automatic, user should be able to force a certain input format(or is it "just" a bug in syslog.Automatic? perhaps it's worth reporting to gopkg.in/mcuadros/go-syslog.v2 maintainers)
I prepared a branch with an ad-hoc commit. Still not tested (and no test written).
https://git.lattuga.net/boyska/circolog/src/set-syslog-fmt
here are some random notes to test inside a clean debian container:
some more material
here is a line generated by journald
and here is one generated by
logger --rfc3164(as provided by util-linux)I think the only difference is the presence of the hostname. So I wonder if that's really required by rfc3164, and whether the bug is therefore in
go-syslog.v2or injournaldI can confirm that now the messages received from
journaldare correctly parsed. In a debian stable vm, I did:Then I started
circologd, forcing the format:Listening with
circolog-tailI got:Restarting
circologdwithlog-fmtset to auto:The same experiment above works smoothly: