Page MenuHomeFreeBSD
Differential D54361

periodic: Take syslog log format from RFC 5424 into account
Needs ReviewPublic
Actions

Authored by michaelo on Thu, Dec 25, 10:02 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 25, 11:35 PM
Unknown Object (File)
Thu, Dec 25, 3:13 PM
Unknown Object (File)
Thu, Dec 25, 2:27 PM
Unknown Object (File)
Thu, Dec 25, 12:23 PM
Unknown Object (File)
Thu, Dec 25, 11:20 AM
Subscribers
imp
ziaee

Details

Reviewers
jrm
Summary

Make all scripts analyzing syslog output aware of the output format
based on the flags passed to syslogd. It is either BSD format (RFC 3164) or
newer RFC 5424.

PR: 270497
MFC after: 2 weeks

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 69465
Build 66348: arc lint + arc unit

Event Timeline

michaelo created this revision.Thu, Dec 25, 10:02 AM
Herald added a subscriber: imp. · View Herald TranscriptThu, Dec 25, 10:02 AM
michaelo requested review of this revision.Thu, Dec 25, 10:02 AM
Harbormaster completed remote builds in B69465: Diff 168582.Thu, Dec 25, 10:02 AM
michaelo added a subscriber: ziaee.Thu, Dec 25, 10:03 AM

Successfully arrived from last night:

deblndw011x.innomotics.net login failures:
<38>1 2025-12-24T10:04:50.770790+01:00 deblndw011x.innomotics.net sshd-session 13833 - - Invalid user uawet448@ad001.siemens.net from 139.25.231.134 port 57514
<38>1 2025-12-24T10:04:50.863780+01:00 deblndw011x.innomotics.net sshd-session 13833 - - Postponed keyboard-interactive for invalid user uawet448@ad001.siemens.net from 139.25.231.134 port 57514 ssh2 [preauth]
<35>1 2025-12-24T10:04:50.885123+01:00 deblndw011x.innomotics.net sshd-session 13833 - - error: PAM: Authentication error for illegal user uawet448@ad001.siemens.net from demchhc0dbx.hca.siemens.de
<38>1 2025-12-24T10:04:50.885602+01:00 deblndw011x.innomotics.net sshd-session 13833 - - Failed keyboard-interactive/pam for invalid user uawet448@ad001.siemens.net from 139.25.231.134 port 57514 ssh2
<38>1 2025-12-24T10:04:50.911948+01:00 deblndw011x.innomotics.net sshd-session 13833 - - Failed password for invalid user uawet448@ad001.siemens.net from 139.25.231.134 port 57514 ssh2
<38>1 2025-12-24T10:04:50.940358+01:00 deblndw011x.innomotics.net sshd-session 13833 - - Connection closed by invalid user uawet448@ad001.siemens.net 139.25.231.134 port 57514 [preauth]
<38>1 2025-12-24T10:04:51.244839+01:00 deblndw011x.innomotics.net sshd-session 13838 - - Invalid user AD7M26R4@ad007.siemens.net from 139.25.231.134 port 57556
<38>1 2025-12-24T10:04:51.646452+01:00 deblndw011x.innomotics.net sshd-session 13838 - - Postponed keyboard-interactive for invalid user AD7M26R4@ad007.siemens.net from 139.25.231.134 port 57556 ssh2 [preauth]
<35>1 2025-12-24T10:04:51.668119+01:00 deblndw011x.innomotics.net sshd-session 13838 - - error: PAM: Authentication error for illegal user AD7M26R4@ad007.siemens.net from demchhc0dbx.hca.siemens.de
<38>1 2025-12-24T10:04:51.668608+01:00 deblndw011x.innomotics.net sshd-session 13838 - - Failed keyboard-interactive/pam for invalid user AD7M26R4@ad007.siemens.net from 139.25.231.134 port 57556 ssh2
<38>1 2025-12-24T10:04:51.694973+01:00 deblndw011x.innomotics.net sshd-session 13838 - - Failed password for invalid user AD7M26R4@ad007.siemens.net from 139.25.231.134 port 57556 ssh2
<38>1 2025-12-24T10:04:51.723271+01:00 deblndw011x.innomotics.net sshd-session 13838 - - Connection closed by invalid user AD7M26R4@ad007.siemens.net 139.25.231.134 port 57556 [preauth]
<38>1 2025-12-24T10:04:52.088046+01:00 deblndw011x.innomotics.net sshd-session 13844 - - Invalid user Fortimanager_Access from 139.25.231.134 port 57578
<38>1 2025-12-24T10:04:52.120184+01:00 deblndw011x.innomotics.net sshd-session 13844 - - Postponed keyboard-interactive for invalid user Fortimanager_Access from 139.25.231.134 port 57578 ssh2 [preauth]
<35>1 2025-12-24T10:04:52.140961+01:00 deblndw011x.innomotics.net sshd-session 13844 - - error: PAM: Authentication error for illegal user Fortimanager_Access from demchhc0dbx.hca.siemens.de
<38>1 2025-12-24T10:04:52.141439+01:00 deblndw011x.innomotics.net sshd-session 13844 - - Failed keyboard-interactive/pam for invalid user Fortimanager_Access from 139.25.231.134 port 57578 ssh2
<38>1 2025-12-24T10:04:52.165672+01:00 deblndw011x.innomotics.net sshd-session 13844 - - Failed none for invalid user Fortimanager_Access from 139.25.231.134 port 57578 ssh2
<38>1 2025-12-24T10:04:52.197158+01:00 deblndw011x.innomotics.net sshd-session 13844 - - Connection closed by invalid user Fortimanager_Access 139.25.231.134 port 57578 [preauth]

@ziaee Any idea who I can request a review for this?

michaelo added a reviewer: jrm.Fri, Dec 26, 1:57 PM
jrm requested changes to this revision.Sat, Dec 27, 5:00 AM

The underlying issue is real, but relying on a sysrc check seems fragile. The contents of /etc/rc.conf describe how syslogd should be started, but not necessarily how the currently running instance was started. For example, the user may have changed the configuration but not restarted the daemon. Also, the proposed flag-matching logic is brittle. For example, something like syslogd_flags="-N -ss -O rfc5424 is probably valid (untested) for syslogd, but wouldn't match your pattern.

Two alternatives come to mind:

  1. "Taste" the log file to determine which timestamp format is in use.
  2. Examine the arguments of the running syslogd, e.g. with `ps -axo command | grep '^/usr/sbin/syslogd '.
This revision now requires changes to proceed.Sat, Dec 27, 5:00 AM
michaelo added a comment.Sat, Dec 27, 11:02 AM

Fair points!

In D54361#1242707, @jrm wrote:

The underlying issue is real, but relying on a sysrc check seems fragile. The contents of /etc/rc.conf describe how syslogd should be started, but not necessarily how the currently running instance was started. For example, the user may have changed the configuration but not restarted the daemon. Also, the proposed flag-matching logic is brittle. For example, something like syslogd_flags="-N -ss -O rfc5424 is probably valid (untested) for syslogd, but wouldn't match your pattern.

Correct, it wouldn't match. It need to test this. Is *-O*syslog*|*-O*rfc5424*) better in your opinion?

Two alternatives come to mind:

  1. "Taste" the log file to determine which timestamp format is in use.

This causes inner pain.

  1. Examine the arguments of the running syslogd, e.g. with `ps -axo command | grep '^/usr/sbin/syslogd '.

This is better, but not compelete since it would also show the processes running in jails which might be different. -J0 does the trick. Let me pay around with it. We can't take the PID file because it could have been altered as well and then we are back to the same situation. If we make this comprise we could use:

$ pargs 1544
1544:  syslogd
argv[0]: /usr/sbin/syslogd
argv[1]: -N
argv[2]: -ss
argv[3]: -O
argv[4]: rfc5424

WDYT? Ideally, I have the PID and the rest is not a problem anymore.

Is the rest of the code acceptable?

michaelo added a comment.Sat, Dec 27, 11:08 AM

The extra spaces are consumed:

osipovmi@deblndw011x:/var/run
$ sysrc syslogd_flags
syslogd_flags: -N -ss -O     rfc5424
osipovmi@deblndw011x:/var/run
$ ps -J0 -axo command  | grep syslogd
/usr/sbin/syslogd -N -ss -O rfc5424
grep syslogd

Not a problem.

michaelo updated this revision to Diff 168646.Sat, Dec 27, 7:00 PM

@jrm: Now it is calculated dynamically. Output from a jail:

root@deblndw011x2j:/etc/periodic
# security/800.loginfail

 login failures:
<38>1 2025-12-26T16:13:18.154398+01:00 deblndw011x2j.innomotics.net sshd-session 16123 - - Invalid user AD7M26R4@ad007.siemens.net from 139.25.231.134 port 3852
<38>1 2025-12-26T16:13:18.482344+01:00 deblndw011x2j.innomotics.net sshd-session 16123 - - Postponed keyboard-interactive for invalid user AD7M26R4@ad007.siemens.net from 139.25.231.134 port 3852 ssh2 [preauth]
<35>1 2025-12-26T16:13:18.499570+01:00 deblndw011x2j.innomotics.net sshd-session 16123 - - error: PAM: Authentication error for illegal user AD7M26R4@ad007.siemens.net from demchhc0dbx.hca.siemens.de
<38>1 2025-12-26T16:13:18.500037+01:00 deblndw011x2j.innomotics.net sshd-session 16123 - - Failed keyboard-interactive/pam for invalid user AD7M26R4@ad007.siemens.net from 139.25.231.134 port 3852 ssh2
<38>1 2025-12-26T16:13:18.524908+01:00 deblndw011x2j.innomotics.net sshd-session 16123 - - Connection closed by invalid user AD7M26R4@ad007.siemens.net 139.25.231.134 port 3852 [preauth]
<38>1 2025-12-26T16:13:18.823408+01:00 deblndw011x2j.innomotics.net sshd-session 16126 - - Invalid user uawet448@ad001.siemens.net from 139.25.231.134 port 47982
<38>1 2025-12-26T16:13:19.138645+01:00 deblndw011x2j.innomotics.net sshd-session 16126 - - Postponed keyboard-interactive for invalid user uawet448@ad001.siemens.net from 139.25.231.134 port 47982 ssh2 [preauth]
<35>1 2025-12-26T16:13:19.157005+01:00 deblndw011x2j.innomotics.net sshd-session 16126 - - error: PAM: Authentication error for illegal user uawet448@ad001.siemens.net from demchhc0dbx.hca.siemens.de
<38>1 2025-12-26T16:13:19.157734+01:00 deblndw011x2j.innomotics.net sshd-session 16126 - - Failed keyboard-interactive/pam for invalid user uawet448@ad001.siemens.net from 139.25.231.134 port 47982 ssh2
<38>1 2025-12-26T16:13:19.182468+01:00 deblndw011x2j.innomotics.net sshd-session 16126 - - Connection closed by invalid user uawet448@ad001.siemens.net 139.25.231.134 port 47982 [preauth]
<38>1 2025-12-26T16:13:19.474529+01:00 deblndw011x2j.innomotics.net sshd-session 16130 - - Invalid user jboss from 139.25.231.134 port 47992
<38>1 2025-12-26T16:13:19.507033+01:00 deblndw011x2j.innomotics.net sshd-session 16130 - - Postponed keyboard-interactive for invalid user jboss from 139.25.231.134 port 47992 ssh2 [preauth]
<35>1 2025-12-26T16:13:19.525610+01:00 deblndw011x2j.innomotics.net sshd-session 16130 - - error: PAM: Authentication error for illegal user jboss from demchhc0dbx.hca.siemens.de
<38>1 2025-12-26T16:13:19.526070+01:00 deblndw011x2j.innomotics.net sshd-session 16130 - - Failed keyboard-interactive/pam for invalid user jboss from 139.25.231.134 port 47992 ssh2
<38>1 2025-12-26T16:13:19.550612+01:00 deblndw011x2j.innomotics.net sshd-session 16130 - - Connection closed by invalid user jboss 139.25.231.134 port 47992 [preauth]
<38>1 2025-12-26T16:13:19.843577+01:00 deblndw011x2j.innomotics.net sshd-session 16133 - - Invalid user jboss from 139.25.231.134 port 47998
<38>1 2025-12-26T16:13:19.876271+01:00 deblndw011x2j.innomotics.net sshd-session 16133 - - Postponed keyboard-interactive for invalid user jboss from 139.25.231.134 port 47998 ssh2 [preauth]
<35>1 2025-12-26T16:13:19.895086+01:00 deblndw011x2j.innomotics.net sshd-session 16133 - - error: PAM: Authentication error for illegal user jboss from demchhc0dbx.hca.siemens.de
<38>1 2025-12-26T16:13:19.895538+01:00 deblndw011x2j.innomotics.net sshd-session 16133 - - Failed keyboard-interactive/pam for invalid user jboss from 139.25.231.134 port 47998 ssh2
<38>1 2025-12-26T16:13:19.920249+01:00 deblndw011x2j.innomotics.net sshd-session 16133 - - Connection closed by invalid user jboss 139.25.231.134 port 47998 [preauth]

where deblndw011x is the jailhost.

Harbormaster completed remote builds in B69486: Diff 168646.Sat, Dec 27, 7:00 PM

Revision Contents
Changeset List

PathSize
usr.sbin/
periodic/
etc/
daily/
18 lines
security/
13 lines
13 lines

Diff 168582

View Options

usr.sbin/periodic/etc/daily/460.status-mail-rejects

Loading...
View Options

usr.sbin/periodic/etc/security/800.loginfail

Loading...
View Options

usr.sbin/periodic/etc/security/900.tcpwrap

Loading...