Configurable syslog support

troglobit commented 4 months ago

Initial Requirements

Ensure authpriv.* is never sent to remote server
Configurable log filters, as syslogd supports (optional)
Log to external media
Log to remote server(s)
Add default rules to factory-config for local logging to RAM disk

Note: see ietf-syslog.yang (draft) below.

Scope

The following details the initial scope for the implementation. Using std. {feature} notation, with crossed out ~~{feature}~~ we can skip in this initial support:

{file-action}
- [x] Log to /log/<FILE>
- [x] Skip default rules for factory-config, classify instead as system log files
- [x] Log to external media, e.g., file:/media/log/my.log (see #538)
- [x] Support basic selectors (this severity and above)
- [x] {file-limit-size} (log rotation, with sane globally configurable defaults)
- [ ] ~~Support {select-adv-compare}~~ (future)
- [x] /etc/syslog.d/log-file-NAME.conf
- [x] /etc/syslog.d/rotate.conf
{remote-action}
- [x] Support basic selectors (this severity and above)
- [x] udp transport
- [ ] ~~tls transport~~ (not supported yet by sysklogd)
- [x] /etc/syslog.d/remote-NAME.conf
~~{console-action}~~ (not required)
~~{signed-messages}~~ (not supported yet by sysklogd)
Log sink/server
- [x] /etc/syslog.d/server.conf

Deviations

Transport TLS (not supported yet by sysklogd)
Facility override, for remote logging (not supported yet by sysklogd)

Augments

Global Log Rotation

Defaults for log rotation, parallel to /syslog/actions, as /syslog/file-rotation

module: ietf-syslog
  +--rw syslog!
     +--rw actions
     |  +-- ...
     |  |
     |  ¦
     +--rw file-rotation
        +--rw number-of-files?   uint32 {file-limit-size}?
        +--rw max-file-size?     uint32 {file-limit-size}?

Log Sink

Acting as log sink, i.e., the remote log server.

Set secure_mode 0 (default 1)
Augment with top-level /syslog/server, settings:
- enabled
- port, default 514

Log Format

 BSD     : myproc[8710]: Kilroy was here.
 RFC3164 : Aug 24 05:14:15 192.0.2.1 myproc[8710]: Kilroy was here.
 RFC5424 : 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - Kilroy was here.

The standard model does not support log format, so it needs to be augmented to support:

{file-action}
- [x] RFC5424 (default: RFC3164)
{remote-action}
- [x] RFC3164 (default: BSD)
- [x] RFC5424

Local Facilities

Code	Facility	Description
0	kern	Kernel log messages
1	user	User-level messages
2	mail	Mail system
3	daemon	General system daemons
4	auth	Security/authorization messages
5	syslog	Messages generated by syslogd
6	lpr	Line printer subsystem
7	news	Network news subsystem
8	uucp	UNIX-to-UNIX copy
9	cron	Clock/cron daemon (BSD, Linux)
10	authpriv	Security/authorization messages (private)
11	ftp	FTP daemon
12	ntp	NTP subsystem
13	audit	Log audit (security)
14	console	Log alert
15	cron2	Clock/cron daemon (Solaris)
16	rauc*	local0, reserved for RAUC
17	container*	local1, reserved for containers
18	local2	Currently unused
19	local3	Currently unused
20	local4	Currently unused
21	local5	Currently unused
22	reserved*	local6, reserved for industrial Ethernet
23	web*	local7, reserved for nginx web server

Facilities marked * are local augments to the model.

Example

admin@example:/> configure 
admin@example:/config/> edit syslog 
admin@example:/config/syslog/> edit actions log-file file:hej
admin@example:/config/syslog/actions/log-file/file:hej/> set facility-list 
      all    audit     auth authpriv  console     cron    cron2   daemon      ftp     kern   local0   local1   local2   local3   local4
   local5   local6   local7      lpr     mail     news      ntp   syslog     user     uucp
admin@example:/config/syslog/actions/log-file/file:hej/> set facility-list all severity 
     alert       all  critical     debug emergency     error      info      none    notice   warning
admin@example:/config/syslog/actions/log-file/file:hej/> set facility-list all severity critical 
admin@example:/config/syslog/actions/log-file/file:hej/> set facility-list mail severity warning 
admin@example:/config/syslog/actions/log-file/file:hej/> end
admin@example:/config/syslog/actions/> diff
+syslog {
+  actions {
+    file {
+      log-file file:hej {
+        facility-filter {
+          facility-list all severity critical
+          facility-list ietf-syslog:mail severity warning
+        }
+      }
+    }
+  }
+}

Note: local policy in this case would put this file in /log/hej.

troglobit commented 4 months ago

Current ietf-syslog.yang (draft) model https://datatracker.ietf.org/doc/draft-ietf-netmod-syslog-model/

module: ietf-syslog
  +--rw syslog!
     +--rw actions
        +--rw console! {console-action}?
        |  +--rw facility-filter
        |  |  +--rw facility-list* [facility severity]
        |  |     +--rw facility            union
        |  |     +--rw severity            union
        |  |     +--rw advanced-compare {select-adv-compare}?
        |  |        +--rw compare?   enumeration
        |  |        +--rw action?    identityref
        |  +--rw pattern-match?     string {select-match}?
        +--rw file {file-action}?
        |  +--rw log-file* [name]
        |     +--rw name               inet:uri
        |     +--rw facility-filter
        |     |  +--rw facility-list* [facility severity]
        |     |     +--rw facility            union
        |     |     +--rw severity            union
        |     |     +--rw advanced-compare {select-adv-compare}?
        |     |        +--rw compare?   enumeration
        |     |        +--rw action?    identityref
        |     +--rw pattern-match?     string {select-match}?
        |     +--rw structured-data?   boolean {structured-data}?
        |     +--rw file-rotation
        |        +--rw number-of-files?   uint32 {file-limit-size}?
        |        +--rw max-file-size?     uint32 {file-limit-size}?
        |        +--rw rollover?          uint32 {file-limit-duration}?
        |        +--rw retention?         uint32 {file-limit-duration}?
        +--rw remote {remote-action}?
           +--rw destination* [name]
              +--rw name                 string
              +--rw (transport)
              |  +--:(udp)
              |  |  +--rw udp
              |  |     +--rw address?   inet:host
              |  |     +--rw port?      inet:port-number
              |  +--:(tls)
              |     +--rw tls
              |        +--rw address?   inet:host
              |        +--rw port?      inet:port-number
              +--rw facility-filter
              |  +--rw facility-list* [facility severity]
              |     +--rw facility            union
              |     +--rw severity            union
              |     +--rw advanced-compare {select-adv-compare}?
              |        +--rw compare?   enumeration
              |        +--rw action?    identityref
              +--rw pattern-match?       string {select-match}?
              +--rw structured-data?     boolean {structured-data}?
              +--rw facility-override?   identityref
              +--rw source-interface?    if:interface-ref {remote-source-interface}?
              +--rw signing! {signed-messages}?
                 +--rw cert-signers
                    +--rw cert-signer* [name]
                    |  +--rw name              string
                    |  +--rw cert
                    |  +--rw hash-algorithm?   enumeration
                    +--rw cert-initial-repeat?   uint32
                    +--rw cert-resend-delay?     uint32
                    +--rw cert-resend-count?     uint32
                    +--rw sig-max-delay?         uint32
                    +--rw sig-number-resends?    uint32
                    +--rw sig-resend-delay?      uint32
                    +--rw sig-resend-count?      uint32

troglobit commented 4 months ago

Split up work in three parts (feature levels):

[ ] {file-action}
[ ] {remote-action}
[ ] {console-action}

The console action may not even be necessary.

troglobit commented 4 months ago

ping @jovatn -- maybe you could take a quick peek at this scope proposal?

jovatn commented 4 months ago

What a nice surprise! :-)

troglobit commented 4 months ago

Resulting complete model, with limited feature set, augments and deviations. Notice the global file rotation and server mode.

$ ./utils/lint.sh -f tree -F ietf-syslog:file-action,file-limit-size,remote-action \
                  ietf-inet-types@2013-07-15.yang \
                  ietf-syslog@2024-03-21.yang     \
                  infix-syslog@2024-07-18.yang 
module: ietf-inet-types

module: ietf-syslog
  +--rw syslog!
     +--rw actions
     |  +--rw file {file-action}?
     |  |  +--rw log-file* [name]
     |  |     +--rw name                  inet:uri
     |  |     +--rw facility-filter
     |  |     |  +--rw facility-list* [facility severity]
     |  |     |     +--rw facility    union
     |  |     |     +--rw severity    union
     |  |     +--rw file-rotation
     |  |     |  +--rw number-of-files?   uint32 {file-limit-size}?
     |  |     |  +--rw max-file-size?     uint32 {file-limit-size}?
     |  |     +--rw infix-syslog:log-format?   identityref
     |  +--rw remote {remote-action}?
     |     +--rw destination* [name]
     |        +--rw name                  string
     |        +--rw (transport)
     |        |  +--:(udp)
     |        |     +--rw udp
     |        |        +--rw address?   inet:host
     |        |        +--rw port?      inet:port-number
     |        +--rw facility-filter
     |        |  +--rw facility-list* [facility severity]
     |        |     +--rw facility    union
     |        |     +--rw severity    union
     |        +--rw infix-syslog:log-format?   identityref
     +--rw infix-syslog:file-rotation
     |  +--rw infix-syslog:number-of-files?   uint32
     |  +--rw infix-syslog:max-file-size?     uint32
     +--rw infix-syslog:server
        +--rw infix-syslog:enabled?   boolean
        +--rw infix-syslog:listen
           +--rw (infix-syslog:listen)?
              +--:(infix-syslog:udp)
                 +--rw infix-syslog:udp* [port]
                    +--rw infix-syslog:port       inet:port-number
                    +--rw infix-syslog:address?   inet:ip-address

module: infix-syslog

  augment /syslog:syslog:
    +--rw file-rotation
    |  +--rw number-of-files?   uint32
    |  +--rw max-file-size?     uint32
    +--rw server
       +--rw enabled?   boolean
       +--rw listen
          +--rw (listen)?
             +--:(udp)
                +--rw udp* [port]
                   +--rw address?   inet:ip-address
                   +--rw port       inet:port-number
  augment /syslog:syslog/syslog:actions/syslog:file/syslog:log-file:
    +---u log-format
  augment /syslog:syslog/syslog:actions/syslog:remote/syslog:destination:
    +---u log-format

kernelkit / infix