search

systemd / systemd-netlogd

Forwards messages from the journal to other hosts over the network using syslog format RFC 5424 and RFC 3164
GNU General Public License v2.0
73 stars 26 forks source link

Support dynamic STRUCTURED-DATA and MSGID #40

Closed iquat closed 6 months ago

iquat commented 9 months ago

Read RFC 5424 structured data and MSGID from journal entries, and add them to the syslog frame.

Usage: write a journal entry containing the fields SYSLOG_STRUCTURED_DATA and SYSLOG_MSGID, and those fields will be forwarded by systemd-netlogd. Example:

  sd_journal_send(
    "MESSAGE=%s", "Message to process",
    "PRIORITY=%s", "4",
    "SYSLOG_FACILITY=%s", "1",
    "SYSLOG_MSGID=%s", "1011",
    "SYSLOG_STRUCTURED_DATA=%s", R"([exampleSDID@32473 iut="3" eventSource="Application"])",
    nullptr // nullptr terminates the parameter list
  );

The above example results in the following syslog frame: <12>1 2024-02-09T08:50:14.406197+01:00 d11 journalExport 10932 1011 [exampleSDID@32473 iut="3" eventSource="Application"] Message to process If we combine this with e.g. StructuredData=[a@32473] in /etc/systemd/systemd-netlogd.conf, then that is prepended to the structured data found in journal entries, e.g.: <12>1 2024-02-09T08:50:14.406197+01:00 d11 journalExport 10932 1011 [a@32473][exampleSDID@32473 iut="3" eventSource="Application"] Message to process

Please note that the configured StructuredData is copied literally, and if it has a trailing space, structured data from the journal ends up in the message part of the syslog frame.

iquat commented 9 months ago

The use case behind this feature is the following. Instead of or alongside with the MSG, I'd like to write details of the logged event into the STRUCTURED-DATA part of the RFC 5424 syslog message. systemd-netlogd already provides the StructuredData configuration that will add the same structured data to every log. However, if you want to store event details in the STRUCTURED-DATA part of the RFC 5424 frame, a static configuration is not a viable solution.

ssahani commented 7 months ago

See https://github.com/ssahani/systemd-netlogd/pull/new/journal-structed-data

iquat commented 7 months ago

See https://github.com/ssahani/systemd-netlogd/pull/new/journal-structed-data

Thanks @ssahani, I tried it, and it works well for my use case. I like the names and description of the new configuration entries (UseSysLogStructuredData and UseSysLogMsgId), and I like the sd_journal_send() example you added to the README. I think there are two points where we could improve it further.

Although the new configuration entries (UseSysLogStructuredData and UseSysLogMsgId) default to false according to README.md, this was not the case when I tried netlogd without setting these configurations. It could be implemented by checking for m->syslog_structured_data and m->syslog_msgid in format_rfc5424(). Yesterday I tried to implement those checks, but I failed to make it operational, I would need further debugging, but my priorities are different now, so I'm just writing it down here so it is not forgotten.

My other point is about the independence of the configuration entries. Setting StructuredData currently disables UseSysLogStructuredData. This is not a problem for my use case, but it could be a feature request later for other users that the two options should work together. The order in which StructuredData and SYSLOG_STRUCTURED_DATA are added shouldn't matter because the order of structured data elements has no significance according to RFC 5424. My personal preference would be to start with StructuredData.

Thank you again!