periodic: Take syslog log format from RFC 5424 into account
Needs RevisionPublic
Actions

Authored by michaelo on Thu, Dec 25, 10:02 AM.

Details

Reviewers

Summary

Make all scripts analyzing syslog output aware of the output format
based on the flags passed to syslogd. It is either BSD format (RFC 3164) or
newer RFC 5424.

PR: 270497
MFC after: 2 weeks

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 69465
Build 66348: arc lint + arc unit

Event Timeline

michaelo created this revision.Thu, Dec 25, 10:02 AM

Herald added a subscriber: imp. · View Herald TranscriptThu, Dec 25, 10:02 AM

michaelo requested review of this revision.Thu, Dec 25, 10:02 AM

Harbormaster completed remote builds in B69465: Diff 168582.Thu, Dec 25, 10:02 AM

Successfully arrived from last night:

deblndw011x.innomotics.net login failures:
<38>1 2025-12-24T10:04:50.770790+01:00 deblndw011x.innomotics.net sshd-session 13833 - - Invalid user uawet448@ad001.siemens.net from 139.25.231.134 port 57514
<38>1 2025-12-24T10:04:50.863780+01:00 deblndw011x.innomotics.net sshd-session 13833 - - Postponed keyboard-interactive for invalid user uawet448@ad001.siemens.net from 139.25.231.134 port 57514 ssh2 [preauth]
<35>1 2025-12-24T10:04:50.885123+01:00 deblndw011x.innomotics.net sshd-session 13833 - - error: PAM: Authentication error for illegal user uawet448@ad001.siemens.net from demchhc0dbx.hca.siemens.de
<38>1 2025-12-24T10:04:50.885602+01:00 deblndw011x.innomotics.net sshd-session 13833 - - Failed keyboard-interactive/pam for invalid user uawet448@ad001.siemens.net from 139.25.231.134 port 57514 ssh2
<38>1 2025-12-24T10:04:50.911948+01:00 deblndw011x.innomotics.net sshd-session 13833 - - Failed password for invalid user uawet448@ad001.siemens.net from 139.25.231.134 port 57514 ssh2
<38>1 2025-12-24T10:04:50.940358+01:00 deblndw011x.innomotics.net sshd-session 13833 - - Connection closed by invalid user uawet448@ad001.siemens.net 139.25.231.134 port 57514 [preauth]
<38>1 2025-12-24T10:04:51.244839+01:00 deblndw011x.innomotics.net sshd-session 13838 - - Invalid user AD7M26R4@ad007.siemens.net from 139.25.231.134 port 57556
<38>1 2025-12-24T10:04:51.646452+01:00 deblndw011x.innomotics.net sshd-session 13838 - - Postponed keyboard-interactive for invalid user AD7M26R4@ad007.siemens.net from 139.25.231.134 port 57556 ssh2 [preauth]
<35>1 2025-12-24T10:04:51.668119+01:00 deblndw011x.innomotics.net sshd-session 13838 - - error: PAM: Authentication error for illegal user AD7M26R4@ad007.siemens.net from demchhc0dbx.hca.siemens.de
<38>1 2025-12-24T10:04:51.668608+01:00 deblndw011x.innomotics.net sshd-session 13838 - - Failed keyboard-interactive/pam for invalid user AD7M26R4@ad007.siemens.net from 139.25.231.134 port 57556 ssh2
<38>1 2025-12-24T10:04:51.694973+01:00 deblndw011x.innomotics.net sshd-session 13838 - - Failed password for invalid user AD7M26R4@ad007.siemens.net from 139.25.231.134 port 57556 ssh2
<38>1 2025-12-24T10:04:51.723271+01:00 deblndw011x.innomotics.net sshd-session 13838 - - Connection closed by invalid user AD7M26R4@ad007.siemens.net 139.25.231.134 port 57556 [preauth]
<38>1 2025-12-24T10:04:52.088046+01:00 deblndw011x.innomotics.net sshd-session 13844 - - Invalid user Fortimanager_Access from 139.25.231.134 port 57578
<38>1 2025-12-24T10:04:52.120184+01:00 deblndw011x.innomotics.net sshd-session 13844 - - Postponed keyboard-interactive for invalid user Fortimanager_Access from 139.25.231.134 port 57578 ssh2 [preauth]
<35>1 2025-12-24T10:04:52.140961+01:00 deblndw011x.innomotics.net sshd-session 13844 - - error: PAM: Authentication error for illegal user Fortimanager_Access from demchhc0dbx.hca.siemens.de
<38>1 2025-12-24T10:04:52.141439+01:00 deblndw011x.innomotics.net sshd-session 13844 - - Failed keyboard-interactive/pam for invalid user Fortimanager_Access from 139.25.231.134 port 57578 ssh2
<38>1 2025-12-24T10:04:52.165672+01:00 deblndw011x.innomotics.net sshd-session 13844 - - Failed none for invalid user Fortimanager_Access from 139.25.231.134 port 57578 ssh2
<38>1 2025-12-24T10:04:52.197158+01:00 deblndw011x.innomotics.net sshd-session 13844 - - Connection closed by invalid user Fortimanager_Access 139.25.231.134 port 57578 [preauth]

@ziaee Any idea who I can request a review for this?

michaelo added a reviewer: jrm.Fri, Dec 26, 1:57 PM

The underlying issue is real, but relying on a sysrc check seems fragile. The contents of /etc/rc.conf describe how syslogd should be started, but not necessarily how the currently running instance was started. For example, the user may have changed the configuration but not restarted the daemon. Also, the proposed flag-matching logic is brittle. For example, something like syslogd_flags="-N -ss -O rfc5424 is probably valid (untested) for syslogd, but wouldn't match your pattern.

Two alternatives come to mind:

"Taste" the log file to determine which timestamp format is in use.
Examine the arguments of the running syslogd, e.g. with `ps -axo command | grep '^/usr/sbin/syslogd '.

This revision now requires changes to proceed.Sat, Dec 27, 5:00 AM