Date: Thu, 21 Sep 2000 13:42:20 -0400 From: James FitzGibbon <james@targetnet.com> To: hackers@freebsd.org Subject: syslogd patch for n-tier logging topologies Message-ID: <20000921134220.A98032@targetnet.com>
next in thread | raw e-mail | index | archive | help
http://people.targetnet.com/~james/syslog-forwarding-hints.diff.gz (patch relative to 4.1-STABLE, but should apply to -current) I was trying to build a 3 tier logging system, where boxes send syslog messages to a server on the local segment, and then that machine forwards the logs on to the "master" logging machine. The problem I had was that I use the '!progname' syntax in syslog.conf on the master host extensively. This syntax matches any message which *starts* with the given string. However, when a message is received from a remote host and subsequently forwarded to a remote host, the message is prepended with the string "Forwarded from hostname ". The message no longer starts with the program name, so it doesn't get selected by the '!progname' line in syslog.conf. One could just move the forwarding note to the end, but then you have to train your eyes to look at the end of the line instead of the beginning for the hostname. What is really needed is a way for the middle tier to tell the top tier machine the hostname of the machine who sent the message in the first place. My solution isn't the best, but it does have the advantage of not breaking the syslog protocol, and you can mix-and-match the old and new forwarding methods in syslog.conf. Basically, if you specify a hostname in syslog.conf but precede it with a % sign instead of an @, the forwarded message will look like this on the way out (presume the original host is bar, the middle is baz and the top is foo): old: <#>Sep 20 10:52:45 Forwarded from bar: progname: message new: <#>%bar Sep 20 10:52:45 progname: message If syslogd is started with the -h switch (hints), it will look at the first character of the message. If it is a %, syslogd reads the text following the % up to the next space, then reads the message as usual. When the log message is processed by logmsg(), I send the hint hostname instead of the gethostbyaddr-derived hostname. As a result, the top host logs the message with the proper hostname of the bottom host. The message still starts with the program name, so the '!progname' syntax works. If the remote host receiving the message doesn't use the -h switch or is running a non-modified copy of syslogd, the message will still get logged, but the hint will appear literally in the log. This isn't pretty, but it prevents the hints from crashing older syslog daemons. One other advantage to this system is that you only have to update syslogd or syslog.conf on the middle and top tiers (or more specifically, every tier except the bottom one). The majority of machines are in the lower tier, so rolling this out isn't too painful. I expect there will be a few comments on this, so bear in mind that the code isn't polished much. I don't know if using '%' as the selector character is a good idea, and there is the issue of spoofing: > logger "%af.mil Sep 21 13:37:30 icbmd[378] Launch commit in 39 seconds" Comments are appreciated. -- j. James FitzGibbon james@targetnet.com Targetnet.com Inc. Voice/Fax +1 416 306-0466/0452 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000921134220.A98032>