Discussion:
Syslogd less verbose logging with rfc5424
Pavel Timofeev
2018-09-30 10:09:59 UTC
Permalink
Hello, dear community!

There was a great work to bring rfc5424 date format to syslogd(8). See
https://svnweb.freebsd.org/base?view=revision&revision=332510

I've been using it on CURRENT since it was imported.
I'm happy I can finally get syslog messages with high time precision
w/o installing rsyslog or another syslog implementation.
The thing I really don't like is that syslogd puts severity and
priority to log files next to timestamp.
In my opinion severity and priority is not needed in 99% of cases,
only in debugging corner cases. While high precision timestamp is the
main thing what people like rfc 5424 for. This is just my opinion.
So for "-O rfc5424" I'd like to have the same behavior as for rfc
3164, i. e. do not log severity and priority by default and if needed
use '-v' option to enable those. But it was decided and documented
that '-v' won't have any effect for rfc 5425
https://svnweb.freebsd.org/base?view=revision&revision=335862

The first thing I'd like to suggest is to make rfc 5424 logging the
same way as for rfc 3164, i. e. make '-v' option work the same.
If community is not agree with me, I'd like to suggest another thing:
have another option/flag for syslogd(8) to disable severity and
priority logging if one use rfc 5424.
Pavel Timofeev
2018-09-30 10:16:52 UTC
Permalink
Post by Pavel Timofeev
Hello, dear community!
There was a great work to bring rfc5424 date format to syslogd(8). See
https://svnweb.freebsd.org/base?view=revision&revision=332510
I've been using it on CURRENT since it was imported.
I'm happy I can finally get syslog messages with high time precision
w/o installing rsyslog or another syslog implementation.
The thing I really don't like is that syslogd puts severity and
priority to log files next to timestamp.
In my opinion severity and priority is not needed in 99% of cases,
only in debugging corner cases. While high precision timestamp is the
main thing what people like rfc 5424 for. This is just my opinion.
So for "-O rfc5424" I'd like to have the same behavior as for rfc
3164, i. e. do not log severity and priority by default and if needed
use '-v' option to enable those. But it was decided and documented
that '-v' won't have any effect for rfc 5425
https://svnweb.freebsd.org/base?view=revision&revision=335862
The first thing I'd like to suggest is to make rfc 5424 logging the
same way as for rfc 3164, i. e. make '-v' option work the same.
have another option/flag for syslogd(8) to disable severity and
priority logging if one use rfc 5424.
Just for visibility this is how /var/log/message log looks like now if
I enable rfc 5424 logging:
<2>1 2018-09-30T13:13:14.105894+03:00 nostromo kernel - - - #8
0xffffffff8105f82c at amd64_syscall+0x28c
<2>1 2018-09-30T13:13:14.105901+03:00 nostromo kernel - - - #9
0xffffffff8103c14d at fast_syscall_common+0x101
<2>1 2018-09-30T13:13:14.105912+03:00 nostromo kernel - - - Security
policy loaded: MAC/ntpd (mac_ntpd)
<101>1 2018-09-30T13:13:14.124700+03:00 nostromo ntpd 937 - - ntpd
4.2.8p12-a (1): Starting
<101>1 2018-09-30T13:13:14.224314+03:00 nostromo ntpd 938 - -
leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash
signature
<101>1 2018-09-30T13:13:14.224570+03:00 nostromo ntpd 938 - -
leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded,
expire=2018-12-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
<13>1 2018-09-30T13:13:14.391787+03:00 nostromo root 990 - - /etc/rc:
WARNING: $dbus_enable is not set properly - see rc.conf(5).
<28>1 2018-09-30T13:13:14.640885+03:00 nostromo avahi-daemon 1038 - -
WARNING: No NSS support for mDNS detected, consider installing
nss-mdns!
Ed Schouten
2018-10-01 08:25:03 UTC
Permalink
Hi Pavel,
Post by Pavel Timofeev
There was a great work to bring rfc5424 date format to syslogd(8). See
https://svnweb.freebsd.org/base?view=revision&revision=332510
I've been using it on CURRENT since it was imported.
I'm happy I can finally get syslog messages with high time precision
w/o installing rsyslog or another syslog implementation.
Great to hear you like it!
Post by Pavel Timofeev
The thing I really don't like is that syslogd puts severity and
priority to log files next to timestamp.
In my opinion severity and priority is not needed in 99% of cases,
only in debugging corner cases. While high precision timestamp is the
main thing what people like rfc 5424 for. This is just my opinion.
So for "-O rfc5424" I'd like to have the same behavior as for rfc
3164, i. e. do not log severity and priority by default and if needed
use '-v' option to enable those. But it was decided and documented
that '-v' won't have any effect for rfc 5425
https://svnweb.freebsd.org/base?view=revision&revision=335862
The first thing I'd like to suggest is to make rfc 5424 logging the
same way as for rfc 3164, i. e. make '-v' option work the same.
have another option/flag for syslogd(8) to disable severity and
priority logging if one use rfc 5424.
I'm on the fence what the right approach is here. The problem is that
newsyslog's RFC5424 support also writes the priority/facility number
and has no way to suppress it. This means that if we were to remove it
from syslogd, we should also add a corresponding switch to syslogd.

That said, my biggest annoyance with the priority/facility number at
the start is not that it takes up space. It's that it's not always the
same width (1-3 columns for the number). This causes log entries to be
aligned inconsistently. This could easily be solved by adding some
leading zeroes, if it weren't for the fact that RFC 5424 explicitly
disallows it. That said, I'd be amazed if that would cause problems in
practice.

A middle ground would be to add leading zeroes when we don't write
messages across the network. That way we improve readability, while
still allowing log entries to be ingested by other systems that use
RFC 5424.
--
Ed Schouten <***@nuxi.nl>
Loading...