Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The syslog source driver does not work with the transport(proxied-tcp) option #4388

Open
kovgeri01 opened this issue Mar 23, 2023 · 1 comment · May be fixed by #4544
Open

The syslog source driver does not work with the transport(proxied-tcp) option #4388

kovgeri01 opened this issue Mar 23, 2023 · 1 comment · May be fixed by #4544
Labels
enhancement

Comments

@kovgeri01
Copy link
Contributor

syslog-ng

Version of syslog-ng

4.1.1 - 0c9d249

Issue

Failure

When the syslog source driver is used with the transport(proxied-tcp) option, the frame send inside the message(s) gets ignored, and each line will count as a new log message.
Hovewer when the same message is received, but with a source with the transport(tcp) instead, the frame inside the message(s) are processed and the received message(s) have the correct length.

Steps to reproduce

  1. Copy the configuration and start syslog-ng with it
  2. Make sure that the following two file exist and the previously started syslog-ng can write them: /tmp/syslog_proxied.log /tmp/syslog_tcp.log
  3. Create an example payload for loggen to send using the following command in /bin/sh: echo "25 This is the first message26 This is the second message" > ./payload
  4. Send the file to syslog-ng using the following commands:

Send it to the source with transport(proxied-tcp): loggen -S -i --file-read-file=$(pwd)/payload -d --proxied --proxy-src-ip=10.10.10.14 --proxy-dst-ip=10.10.10.236 --proxy-src-port=20000 --proxy-dst-port=4514 localhost 40200
Send it to the source with transport(tcp): loggen -S -i --file-read-file=$(pwd)/payload -d localhost 40100

After the steps above:

  • tmp/syslog_proxied.log will contain the following lines:
Mar 23 14:36:52 localhost 25 This is the first message26 This is the second message
  • tmp/syslog_tcp.log will contain the following lines:
Mar 23 14:36:52 localhost This is the first message 
Mar 23 14:36:52 localhost This is the second message

During this syslog-ng logs the followings:

...
[2023-03-23T14:36:41.902450] Module loaded and initialized successfully; module='syslogformat'
[2023-03-23T14:36:41.902511] Accepting connections; addr='AF_INET(0.0.0.0:40100)'
[2023-03-23T14:36:41.902553] Accepting connections; addr='AF_INET(0.0.0.0:40200)'
[2023-03-23T14:36:41.902707] Running application hooks; hook='1'
[2023-03-23T14:36:41.902712] Running application hooks; hook='9'
[2023-03-23T14:36:41.902932] syslog-ng starting up; version='4.0.1.486.g0c9d249'
[2023-03-23T14:36:41.902939] Running application hooks; hook='2'
[2023-03-23T14:36:52.066143] Initializing PROXY protocol source driver; driver='0x565520772e30'
[2023-03-23T14:36:52.066395] Syslog connection accepted; fd='15', client='AF_INET(127.0.0.1:55846)', local='AF_INET(0.0.0.0:40200)'
[2023-03-23T14:36:52.066733] PROXY header params; params='10.10.10.14 10.10.10.236 20000 4514'
[2023-03-23T14:36:52.066798] PROXY protocol header received; version='1', header='PROXY TCP4 10.10.10.14 10.10.10.236 20000 4514'
[2023-03-23T14:36:52.067037] Incoming log entry; input='25 This is the first message26 This is the second message', msg='0x7fb7000015d0', rcptid='0'
[2023-03-23T14:36:52.068077] Initializing destination file writer; template='/tmp/syslog_proxied.log', filename='/tmp/syslog_proxied.log', symlink_as='(null)'
[2023-03-23T14:36:52.068527] Syslog connection closed; fd='15', client='AF_INET(127.0.0.1:55846)', local='AF_INET(0.0.0.0:40200)'
[2023-03-23T14:36:52.068576] Freeing PROXY protocol source driver; driver='0x565520772e30'
[2023-03-23T14:36:52.068951] Outgoing message; message='Mar 23 14:36:52 localhost 25 This is the first message26 This is the second message\x0a'
[2023-03-23T14:36:52.589620] Syslog connection accepted; fd='15', client='AF_INET(127.0.0.1:59872)', local='AF_INET(0.0.0.0:40100)'
[2023-03-23T14:36:52.589941] Incoming log entry; input='This is the first message', msg='0x7fb7000015d0', rcptid='0'
[2023-03-23T14:36:52.590263] Initializing destination file writer; template='/tmp/syslog_tcp.log', filename='/tmp/syslog_tcp.log', symlink_as='(null)'
[2023-03-23T14:36:52.590508] Incoming log entry; input='This is the second message', msg='0x7fb700002b10', rcptid='0'
[2023-03-23T14:36:52.590573] Invalid frame header; header=''
[2023-03-23T14:36:52.590651] Syslog connection closed; fd='15', client='AF_INET(127.0.0.1:59872)', local='AF_INET(0.0.0.0:40100)'
[2023-03-23T14:36:52.590905] Outgoing message; message='Mar 23 14:36:52 localhost This is the first message\x0a'
[2023-03-23T14:36:52.590940] Outgoing message; message='Mar 23 14:36:52 localhost This is the second message\x0a'
^C[2023-03-23T14:36:58.030002] Running application hooks; hook='3'
[2023-03-23T14:36:58.030034] syslog-ng shutting down; version='4.0.1.486.g0c9d249'
[2023-03-23T14:36:58.131577] Running application hooks; hook='4'

Configuration

@version: 4.1 
@include "scl.conf"

 options {
       use_dns(yes);
       dns_cache(yes);
       dns_cache_expire(300);
       dns_cache_expire_failed(60);
       stats-freq(0);
       stats_level(1);
       keep_hostname(yes);
       check_hostname(yes);
       log_msg_size(389120);
       threaded(yes);
 };
 source s_tcp {
       syslog(
             port(40100)
             ip(0.0.0.0)
             transport(tcp)
             flags(no-parse)
       );
 };
source s_proxied {
       syslog(
             port(40200)
             ip(0.0.0.0)
             transport(proxied-tcp)
             flags(no-parse)
       );
 };
 destination d_tcp {
       file("/tmp/syslog_tcp.log");
 };
 destination d_proxied {
       file("/tmp/syslog_proxied.log");
 };
 log {
       source(s_tcp);
       destination(d_tcp);
 };
 log {
       source(s_proxied);
       destination(d_proxied);
 };
@kovgeri01 kovgeri01 added the bug label Mar 23, 2023
@MrAnno
Copy link
Collaborator

MrAnno commented Mar 23, 2023
edited

transport(proxied-*) currently does not support the syslog() driver (framed RFC 6587 proto).
I'm marking this as an enhancement.

@MrAnno MrAnno added enhancement and removed bug labels Mar 23, 2023
@alexb271 alexb271 mentioned this issue Jun 20, 2023
Closed
@alexb271 alexb271 linked a pull request Jul 11, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
2 participants
@MrAnno @kovgeri01