'Re: [systemd-devel] =?utf-8?b?W3N5c3RlbWTigJFkZXZlbF0gQW50dzogW0VY?='

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       systemd-devel
Subject:    Re: [systemd-devel]  =?utf-8?b?W3N5c3RlbWTigJFkZXZlbF0gQW50dzogW0VY?=
From:       Mantas_Mikulėnas <grawity () gmail ! com>
Date:       2022-04-28 10:45:01
Message-ID: CAPWNY8X9W8JGWNO8ykf_h75ZaXYpRHX8hkmV7ruBQ0bkubDSmw () mail ! gmail ! com
[Download RAW message or body]

On Thu, Apr 28, 2022 at 1:26 PM Ulrich Windl <
Ulrich.Windl@rz.uni-regensburg.de> wrote:

> >>> Lennart Poettering <lennart@poettering.net> schrieb am 28.04.2022 um
> 10:27
> in
> Nachricht <YmpQCYN0Y/gxlzGU@gardel-login>:
> > On Do, 28.04.22 09:32, Ulrich Windl (Ulrich.Windl@rz.uni‑regensburg.de)
> wrote:
> >
> >> Actually I wasn't quite sure about the default config in SLES12.
> >> It seems the flow is journald ‑> local rsyslogd ‑> remote syslogd
> >>
> >> > rsyslogd already knows if messages are UTF‑8 because the system's
> $LANG
> >> > (well, nl_langinfo) says so. And if rsyslog can't trust that for some
> >> > reason (e.g. because a user might have a different locale), then
> >> > systemd‑journald won't be able to trust it either, so it won't know
> whether
> >> > it could add the BOM.
> >>
> >> How could a remote syslog server know what the locale on the sending
> system
> >> is?
> >
> > Your local rsyslogd could add the BOM when it transforms journal
> > messages to syslog datagrams.
> >
> >> > RFC 3164 over the network to a remote server? Outside the scope for
> >> > systemd, since it doesn't generate the network packets; your local
> rsyslogd
> >> > forwarder does. (Also, why RFC 3164 and not 5425?)
> >>
> >> If you look outside the world of systemd, about 99% of systems create
> the
> > RFC
> >> 3164 type of messages.
> >
> > That's a wild claim, and simply wrong actually.
>
> Well actually as systemd cannot send syslog messages to remote, which
> systems
> do you know that send RFC 5424 messages?
> Actually I know none here.
>

syslog-ng does with destination{syslog()}, rsyslogd does with
RSYSLOG_SyslogProtocol23Format; the HP switches at $WORK (and I think the
Cisco ones) didn't even have BSD-format as an option, always producing
5424-format.


> >
> > systemd is focussed on reality: we generate and process the same
> > format glibc generates.
>
> I'm wondering which API all those programs use that create correct syslog
> entries.
>

It's not that they create correct syslog entries, it's that the syslogd
(well, the /dev/log listener, so including journald) *parses and rebuilds*
the entries that come from the API before storing them anywhere.

Whether you use rsyslog or syslog-ng, they don't just dump program-provided
data to /var/log – they both parse the input into date + hostname + pid +
message, then reformat according to whatever output format is specified.
(For example, we have syslog-ng configured to write RFC3339 timestamps.)
Journald also does the same by design.

-- 
Mantas Mikulėnas

[Attachment #3 (text/html)]

<div dir="ltr"><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, \
Apr 28, 2022 at 1:26 PM Ulrich Windl &lt;<a \
href="mailto:Ulrich.Windl@rz.uni-regensburg.de">Ulrich.Windl@rz.uni-regensburg.de</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">&gt;&gt;&gt; Lennart \
Poettering &lt;<a href="mailto:lennart@poettering.net" \
target="_blank">lennart@poettering.net</a>&gt; schrieb am 28.04.2022 um 10:27<br> \
in<br> Nachricht &lt;YmpQCYN0Y/gxlzGU@gardel-login&gt;:<br>
&gt; On Do, 28.04.22 09:32, Ulrich Windl (<a \
href="mailto:Ulrich.Windl@rz.uni%E2%80%91regensburg.de" \
target="_blank">Ulrich.Windl@rz.uni‑regensburg.de</a>)<br> wrote:<br>
&gt; <br>
&gt;&gt; Actually I wasn&#39;t quite sure about the default config in SLES12.<br>
&gt;&gt; It seems the flow is journald ‑&gt; local rsyslogd ‑&gt; remote \
syslogd<br> &gt;&gt;<br>
&gt;&gt; &gt; rsyslogd already knows if messages are UTF‑8 because the system&#39;s \
$LANG<br> &gt;&gt; &gt; (well, nl_langinfo) says so. And if rsyslog can&#39;t trust \
that for some<br> &gt;&gt; &gt; reason (e.g. because a user might have a different \
locale), then<br> &gt;&gt; &gt; systemd‑journald won&#39;t be able to trust it \
either, so it won&#39;t know<br> whether<br>
&gt;&gt; &gt; it could add the BOM.<br>
&gt;&gt;<br>
&gt;&gt; How could a remote syslog server know what the locale on the sending<br>
system<br>
&gt;&gt; is?<br>
&gt; <br>
&gt; Your local rsyslogd could add the BOM when it transforms journal<br>
&gt; messages to syslog datagrams.<br>
&gt; <br>
&gt;&gt; &gt; RFC 3164 over the network to a remote server? Outside the scope for<br>
&gt;&gt; &gt; systemd, since it doesn&#39;t generate the network packets; your \
local<br> rsyslogd<br>
&gt;&gt; &gt; forwarder does. (Also, why RFC 3164 and not 5425?)<br>
&gt;&gt;<br>
&gt;&gt; If you look outside the world of systemd, about 99% of systems create the \
<br> &gt; RFC<br>
&gt;&gt; 3164 type of messages.<br>
&gt; <br>
&gt; That&#39;s a wild claim, and simply wrong actually.<br>
<br>
Well actually as systemd cannot send syslog messages to remote, which systems<br>
do you know that send RFC 5424 messages?<br>
Actually I know none here.<br></blockquote><div><br></div><div>syslog-ng does with \
destination{syslog()}, rsyslogd does with RSYSLOG_SyslogProtocol23Format; the HP \
switches at $WORK (and I think the Cisco ones) didn&#39;t even have BSD-format as an \
option, always producing 5424-format.<br></div><div>  </div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"> &gt; <br>
&gt; systemd is focussed on reality: we generate and process the same<br>
&gt; format glibc generates.<br>
<br>
I&#39;m wondering which API all those programs use that create correct syslog<br>
entries.<br></blockquote><div><br></div><div>It&#39;s not that they create correct \
syslog entries, it&#39;s that the syslogd (well, the /dev/log listener, so including \
journald) *parses and rebuilds* the entries that come from the API before storing \
them anywhere.</div><div><br></div><div>Whether you use rsyslog or syslog-ng, they \
don&#39;t just dump program-provided data to /var/log – they both parse the input \
into date + hostname + pid + message, then reformat according to whatever output \
format is specified. (For example, we have syslog-ng configured to write RFC3339 \
timestamps.) Journald also does the same by design.<br></div></div><br>-- <br><div \
dir="ltr" class="gmail_signature"><div dir="ltr">Mantas Mikulėnas</div></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic