On Thu, Apr 28, 2022 at 1:26 PM Ulrich Windl < ulrich.wi...@rz.uni-regensburg.de> wrote:
> >>> Lennart Poettering <lenn...@poettering.net> schrieb am 28.04.2022 um > 10:27 > in > Nachricht <YmpQCYN0Y/gxlzGU@gardel-login>: > > On Do, 28.04.22 09:32, Ulrich Windl (ulrich.wi...@rz.uni‑regensburg.de) > wrote: > > > >> Actually I wasn't quite sure about the default config in SLES12. > >> It seems the flow is journald ‑> local rsyslogd ‑> remote syslogd > >> > >> > rsyslogd already knows if messages are UTF‑8 because the system's > $LANG > >> > (well, nl_langinfo) says so. And if rsyslog can't trust that for some > >> > reason (e.g. because a user might have a different locale), then > >> > systemd‑journald won't be able to trust it either, so it won't know > whether > >> > it could add the BOM. > >> > >> How could a remote syslog server know what the locale on the sending > system > >> is? > > > > Your local rsyslogd could add the BOM when it transforms journal > > messages to syslog datagrams. > > > >> > RFC 3164 over the network to a remote server? Outside the scope for > >> > systemd, since it doesn't generate the network packets; your local > rsyslogd > >> > forwarder does. (Also, why RFC 3164 and not 5425?) > >> > >> If you look outside the world of systemd, about 99% of systems create > the > > RFC > >> 3164 type of messages. > > > > That's a wild claim, and simply wrong actually. > > Well actually as systemd cannot send syslog messages to remote, which > systems > do you know that send RFC 5424 messages? > Actually I know none here. > syslog-ng does with destination{syslog()}, rsyslogd does with RSYSLOG_SyslogProtocol23Format; the HP switches at $WORK (and I think the Cisco ones) didn't even have BSD-format as an option, always producing 5424-format. > > > > systemd is focussed on reality: we generate and process the same > > format glibc generates. > > I'm wondering which API all those programs use that create correct syslog > entries. > It's not that they create correct syslog entries, it's that the syslogd (well, the /dev/log listener, so including journald) *parses and rebuilds* the entries that come from the API before storing them anywhere. Whether you use rsyslog or syslog-ng, they don't just dump program-provided data to /var/log – they both parse the input into date + hostname + pid + message, then reformat according to whatever output format is specified. (For example, we have syslog-ng configured to write RFC3339 timestamps.) Journald also does the same by design. -- Mantas Mikulėnas