Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC3339 timestamp that contains over 6 digit fractional part of seconds output binary data #5469

Open
ztanakaz opened this issue Oct 16, 2024 · 4 comments
Open

RFC3339 timestamp that contains over 6 digit fractional part of seconds output binary data #5469

ztanakaz opened this issue Oct 16, 2024 · 4 comments

Comments

@ztanakaz
Copy link

Expected behavior

Output original precision, or truncate by spec, or treat timestamp field as msg

Actual behavior

  1. recieve syslog packet from remote (ex. via udp)
  2. output to local logfile using dateFormat="rfc3339". ex.) RSYSLOG_FileFormat
  3. log text contains binary character at timestamp field when fractional part greater than 6 digits

Steps to reproduce the behavior

# n=""
# for i in $(seq 1 10); do
>   n="${n}$i"
>   echo $n: 
>   echo "<134>2024-10-16T18:00:00.${n}+09:00 HOSTNAME01 app01 testmsg${n}" | nc -w 1 -u  localhost 514
> done
1:
12:
123:
1234:
12345:
123456:
1234567:
12345678:
123456789:
12345678910:
# 
# tail /var/log/syslog
2024-10-16T18:00:00.1+09:00 HOSTNAME01 app01 testmsg1
2024-10-16T18:00:00.12+09:00 HOSTNAME01 app01 testmsg12
2024-10-16T18:00:00.123+09:00 HOSTNAME01 app01 testmsg123
2024-10-16T18:00:00.1234+09:00 HOSTNAME01 app01 testmsg1234
2024-10-16T18:00:00.12345+09:00 HOSTNAME01 app01 testmsg12345
2024-10-16T18:00:00.123456+09:00 HOSTNAME01 app01 testmsg123456
2024-10-16T18:00:00.繰09:00 HOSTNAME01 app01 testmsg1234567
2024-10-16T18:00:00.係+09:00 HOSTNAME01 app01 testmsg12345678
2024-10-16T18:00:00.係9+09:00 HOSTNAME01 app01 testmsg123456789
2024-10-16T20:25:43.241494+09:00 localhost 2024-10-16T18: 00:00.12345678910+09:00 HOSTNAME01 app01 testmsg12345678910
#

Environment

  • env1
    -- rsyslog version: 8.2312.0
    -- platform: Ubuntu 24.04
    -- for configuration questions/issues, include rsyslog.conf and included config files
module(load="imudp")
input(type="imudp" port="514")
  • env2
    -- rsyslog version: 8.24.0-55.el7
    -- platform: CentOS 7.9.2009
$ModLoad imudp
$UDPServerRun 514
if $programname == 'app01' then {
  *.*  /var/log/messages
  *.*  /var/log/debug.log;RSYSLOG_FileFormat
  stop
}
@rgerhards
Copy link
Member

This is intended behaviour, see https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.3.1 Example 5. Syslog does not support a higher precision setting.

@davidelang
Copy link
Contributor

davidelang commented Oct 16, 2024 via email

@ztanakaz
Copy link
Author

Rsyslog (or RFC) specification is not a matter.
Outputted logfile including broken binary data is a matter.
Data will come from remote network devices such as appliances. We have no control over what format it is sent in.

If would not support wider precision, could you please truncate overflowed fractional digit or treat timestamp field as not timestamp?

Expected behavior

... or truncate by spec, or treat timestamp field as msg

Ignoring timestamp field is better than broken output (as a results, timestamp will be recieved time).

@rgerhards
Copy link
Member

@ztanakaz While I tend to agree with @davidelang that we should add a feature to support invalid precision values, you are pretty ignorant against standards. It might be that you do not care, but others rely on it. Especially as the spec says that too many precision digits mean the header is invalid.

It's no longer the time where "best guess" is always good - many security issues relate to not following specs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rgerhards @davidelang @ztanakaz