infix
infix copied to clipboard
kernelkit
Configurable syslog support
Initial Requirements
- Ensure
authpriv.*is never sent to remote server - Configurable log filters, as syslogd supports (optional)
- Log to external media
- Log to remote server(s)
- Add default rules to factory-config for local logging to RAM disk
Note: see ietf-syslog.yang (draft) below.
Scope
The following details the initial scope for the implementation. Using std. {feature} notation, with crossed out ~~{feature}~~ we can skip in this initial support:
{file-action}- [x] Log to
/log/<FILE> - [x] Skip default rules for
factory-config, classify instead as system log files - [x] Log to external media, e.g.,
file:/media/log/my.log(see #538) - [x] Support basic selectors (this severity and above)
- [x]
{file-limit-size}(log rotation, with sane globally configurable defaults) - [ ] ~~Support
{select-adv-compare}~~ (future) - [x]
/etc/syslog.d/log-file-NAME.conf - [x]
/etc/syslog.d/rotate.conf
- [x] Log to
{remote-action}- [x] Support basic selectors (this severity and above)
- [x] udp transport
- [ ] ~~tls transport~~ (not supported yet by
sysklogd) - [x]
/etc/syslog.d/remote-NAME.conf
- ~~
{console-action}~~ (not required) - ~~
{signed-messages}~~ (not supported yet bysysklogd) - Log sink/server
- [x]
/etc/syslog.d/server.conf
- [x]
Deviations
- Transport TLS (not supported yet by
sysklogd) - Facility override, for remote logging (not supported yet by
sysklogd)
Augments
Global Log Rotation
Defaults for log rotation, parallel to /syslog/actions, as /syslog/file-rotation
module: ietf-syslog
+--rw syslog!
+--rw actions
| +-- ...
| |
| ¦
+--rw file-rotation
+--rw number-of-files? uint32 {file-limit-size}?
+--rw max-file-size? uint32 {file-limit-size}?
Log Sink
Acting as log sink, i.e., the remote log server.
- Set
secure_mode 0(default 1) - Augment with top-level
/syslog/server, settings:enabledport, default 514
Log Format
BSD : myproc[8710]: Kilroy was here.
RFC3164 : Aug 24 05:14:15 192.0.2.1 myproc[8710]: Kilroy was here.
RFC5424 : 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - Kilroy was here.
The standard model does not support log format, so it needs to be augmented to support:
{file-action}- [x]
RFC5424(default:RFC3164)
- [x]
{remote-action}- [x]
RFC3164(default:BSD) - [x]
RFC5424
- [x]
Local Facilities
| Code | Facility | Description |
|---|---|---|
| 0 | kern | Kernel log messages |
| 1 | user | User-level messages |
| 2 | Mail system | |
| 3 | daemon | General system daemons |
| 4 | auth | Security/authorization messages |
| 5 | syslog | Messages generated by syslogd |
| 6 | lpr | Line printer subsystem |
| 7 | news | Network news subsystem |
| 8 | uucp | UNIX-to-UNIX copy |
| 9 | cron | Clock/cron daemon (BSD, Linux) |
| 10 | authpriv | Security/authorization messages (private) |
| 11 | ftp | FTP daemon |
| 12 | ntp | NTP subsystem |
| 13 | audit | Log audit (security) |
| 14 | console | Log alert |
| 15 | cron2 | Clock/cron daemon (Solaris) |
| 16 | rauc* | local0, reserved for RAUC |
| 17 | container* | local1, reserved for containers |
| 18 | local2 | Currently unused |
| 19 | local3 | Currently unused |
| 20 | local4 | Currently unused |
| 21 | local5 | Currently unused |
| 22 | reserved* | local6, reserved for industrial Ethernet |
| 23 | web* | local7, reserved for nginx web server |
Facilities marked * are local augments to the model.
Example
admin@example:/> configure
admin@example:/config/> edit syslog
admin@example:/config/syslog/> edit actions log-file file:hej
admin@example:/config/syslog/actions/log-file/file:hej/> set facility-list
all audit auth authpriv console cron cron2 daemon ftp kern local0 local1 local2 local3 local4
local5 local6 local7 lpr mail news ntp syslog user uucp
admin@example:/config/syslog/actions/log-file/file:hej/> set facility-list all severity
alert all critical debug emergency error info none notice warning
admin@example:/config/syslog/actions/log-file/file:hej/> set facility-list all severity critical
admin@example:/config/syslog/actions/log-file/file:hej/> set facility-list mail severity warning
admin@example:/config/syslog/actions/log-file/file:hej/> end
admin@example:/config/syslog/actions/> diff
+syslog {
+ actions {
+ file {
+ log-file file:hej {
+ facility-filter {
+ facility-list all severity critical
+ facility-list ietf-syslog:mail severity warning
+ }
+ }
+ }
+ }
+}
Note: local policy in this case would put this file in
/log/hej.
Current ietf-syslog.yang (draft) model https://datatracker.ietf.org/doc/draft-ietf-netmod-syslog-model/
module: ietf-syslog
+--rw syslog!
+--rw actions
+--rw console! {console-action}?
| +--rw facility-filter
| | +--rw facility-list* [facility severity]
| | +--rw facility union
| | +--rw severity union
| | +--rw advanced-compare {select-adv-compare}?
| | +--rw compare? enumeration
| | +--rw action? identityref
| +--rw pattern-match? string {select-match}?
+--rw file {file-action}?
| +--rw log-file* [name]
| +--rw name inet:uri
| +--rw facility-filter
| | +--rw facility-list* [facility severity]
| | +--rw facility union
| | +--rw severity union
| | +--rw advanced-compare {select-adv-compare}?
| | +--rw compare? enumeration
| | +--rw action? identityref
| +--rw pattern-match? string {select-match}?
| +--rw structured-data? boolean {structured-data}?
| +--rw file-rotation
| +--rw number-of-files? uint32 {file-limit-size}?
| +--rw max-file-size? uint32 {file-limit-size}?
| +--rw rollover? uint32 {file-limit-duration}?
| +--rw retention? uint32 {file-limit-duration}?
+--rw remote {remote-action}?
+--rw destination* [name]
+--rw name string
+--rw (transport)
| +--:(udp)
| | +--rw udp
| | +--rw address? inet:host
| | +--rw port? inet:port-number
| +--:(tls)
| +--rw tls
| +--rw address? inet:host
| +--rw port? inet:port-number
+--rw facility-filter
| +--rw facility-list* [facility severity]
| +--rw facility union
| +--rw severity union
| +--rw advanced-compare {select-adv-compare}?
| +--rw compare? enumeration
| +--rw action? identityref
+--rw pattern-match? string {select-match}?
+--rw structured-data? boolean {structured-data}?
+--rw facility-override? identityref
+--rw source-interface? if:interface-ref {remote-source-interface}?
+--rw signing! {signed-messages}?
+--rw cert-signers
+--rw cert-signer* [name]
| +--rw name string
| +--rw cert
| +--rw hash-algorithm? enumeration
+--rw cert-initial-repeat? uint32
+--rw cert-resend-delay? uint32
+--rw cert-resend-count? uint32
+--rw sig-max-delay? uint32
+--rw sig-number-resends? uint32
+--rw sig-resend-delay? uint32
+--rw sig-resend-count? uint32
Split up work in three parts (feature levels):
- [ ]
{file-action} - [ ]
{remote-action} - [ ]
{console-action}
The console action may not even be necessary.
ping @jovatn -- maybe you could take a quick peek at this scope proposal?
Resulting complete model, with limited feature set, augments and deviations. Notice the global file rotation and server mode.
$ ./utils/lint.sh -f tree -F ietf-syslog:file-action,file-limit-size,remote-action \
[email protected] \
[email protected] \
[email protected]
module: ietf-inet-types
module: ietf-syslog
+--rw syslog!
+--rw actions
| +--rw file {file-action}?
| | +--rw log-file* [name]
| | +--rw name inet:uri
| | +--rw facility-filter
| | | +--rw facility-list* [facility severity]
| | | +--rw facility union
| | | +--rw severity union
| | +--rw file-rotation
| | | +--rw number-of-files? uint32 {file-limit-size}?
| | | +--rw max-file-size? uint32 {file-limit-size}?
| | +--rw infix-syslog:log-format? identityref
| +--rw remote {remote-action}?
| +--rw destination* [name]
| +--rw name string
| +--rw (transport)
| | +--:(udp)
| | +--rw udp
| | +--rw address? inet:host
| | +--rw port? inet:port-number
| +--rw facility-filter
| | +--rw facility-list* [facility severity]
| | +--rw facility union
| | +--rw severity union
| +--rw infix-syslog:log-format? identityref
+--rw infix-syslog:file-rotation
| +--rw infix-syslog:number-of-files? uint32
| +--rw infix-syslog:max-file-size? uint32
+--rw infix-syslog:server
+--rw infix-syslog:enabled? boolean
+--rw infix-syslog:listen
+--rw (infix-syslog:listen)?
+--:(infix-syslog:udp)
+--rw infix-syslog:udp* [port]
+--rw infix-syslog:port inet:port-number
+--rw infix-syslog:address? inet:ip-address
module: infix-syslog
augment /syslog:syslog:
+--rw file-rotation
| +--rw number-of-files? uint32
| +--rw max-file-size? uint32
+--rw server
+--rw enabled? boolean
+--rw listen
+--rw (listen)?
+--:(udp)
+--rw udp* [port]
+--rw address? inet:ip-address
+--rw port inet:port-number
augment /syslog:syslog/syslog:actions/syslog:file/syslog:log-file:
+---u log-format
augment /syslog:syslog/syslog:actions/syslog:remote/syslog:destination:
+---u log-format