Esteemed busybox developers: When using syslogd for remote logging, our syslog server administrators complained (and I confirmed) that syslogd messages sent over the wire were not in accordance with RFC 3164 Section 4.1.2, specifically: The HEADER part contains a timestamp and an indication of the hostname or IP address of the device.
[…] The HOSTNAME field will contain only the hostname, the IPv4 address, or the IPv6 address of the originator of the message. The preferred value is the hostname. The hostname is currently not included in the header. This was not the case for local logging, which did include the hostname. When this was raised in 2008, Denys responded with Won't Fix, saying that Ubuntu did not include the hostname in its syslogd datagrams. I humbly ask you to reconsider whether Ubuntu bugs and configuration errors should take precedence over the RFC 😊. Also for remote logging, syslogd ignored /etc/syslog.conf.busybox, whereas for local logging the config file was effective. This leaves users unable to filter or despatch remotely-transmitted syslog messages by priority. There is nothing in the documentation or RFC that would lead you to expect this peculiar behaviour. Looking at the the do_syslogd function within root<https://git.busybox.net/busybox/tree/?h=1_35_stable>/sysklogd<https://git.busybox.net/busybox/tree/sysklogd?h=1_35_stable>/syslogd.c<https://git.busybox.net/busybox/tree/sysklogd/syslogd.c?h=1_35_stable> at the section that handles remote logging, the cause becomes clear: /* We are not modifying log messages in any way before send */ /* Remote site cannot trust _us_ anyway and need to do validation again */ This would be completely appropriate if the device was merely relaying correctly-formatted syslog messages that originated elsewhere, but not so appropriate for locally-originated syslog messages that lack the required hostname field. It is true that the remote site needs to do the validation again, but in our case the remote site is correctly indicating that the received packet is invalid. This section of the code also disregards /etc/syslog.conf.busybox, which explains why the file was ineffective at controlling remote logging. I realise you all busy people, but can we please get this fixed at some stage so that: -Hostname is included in syslog messages as per RFC 3164; and -The syslog server pays attention to /etc/syslog.conf.busybox for remotely logged messages as well as locally-logged ones, including support for the @remote_host action. This should not require any drastic changes to the existing code. It would mostly entail moving the packet transmission code from do_syslog() to timestamp_and_log() within a conditional statement, plus a few more small changes to leave in the pri field and (preferably) blank the res field for the remotely-transmitted string. Plus a DNS lookup for any @remote_host actions in the config file. Alex Lasky SCADA Engineer Digital – Op Technology Desk (02) 8849 5924 Mobile 0419 115 169 alex.la...@sydneywater.com.au<mailto:alex.la...@sydneywater.com.au> Level 2, 1 Smith Street Parramatta NSW 2150 ________________________________ [Facebook]<http://www.facebook.com/SydneyWater> [Twitter] <http://twitter.com/sydneywaternews> [YouTube] <http://www.youtube.com/user/sydneywatertv> [Instagram] <http://www.instagram.com/explore/tags/sydneywater/> ________________________________ NOTICE: This email is confidential. If you are not the nominated recipient, please immediately delete this email, destroy all copies and inform the sender. Sydney Water Corporation (Sydney Water) prohibits the unauthorised copying or distribution of this email. This email does not necessarily express the views of Sydney Water. Sydney Water does not warrant nor guarantee that this email communication is free from errors, virus, interception or interference. ________________________________
_______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox