syslog format #20121
syslog format #20121
Conversation
|
I think this also can fix #20053. |
|
@calavera , yes it seems that it is caused by the same semicolon separator. |
|
@solganik you need to run |
|
@calavera thanks, fixing |
|
@solganik so are you sure this PR will keep backwards compatibility with all syslog readers? |
|
@tiborvass I`m not a syslog expert. however semicolon usage if rfc3164 protocol will not play well with semicolons within the 'TAG' and this is the only solution i was able to find. |
|
how can i re-run the "expiremental" job ? as it seems to experience some issue i suspect unrelated to my PR. |
|
@solganik there rebuilt experimental for you. |
|
I am not sure I like using @solganik Is there a way of escaping the |
|
Hi @tiborvass check out the rtsyslog source code here The way around this might be to replace the colon separator in the Image name with something else. Note also that putting "appname" in application name does not make sense as the reporting unit is "docker service" .. which dost not really bring any additional info as this is not the "application". (workload), moreover image name often is the "workload" identifier, which perfectly suites the APPNAME meaning. |
|
moreover even if you ignore linux implementation and get aligned with rfc 3164, it states: |
|
@solganik thanks for the pointer to the syslog code. That means that
That's not going to happen in the docker code, since we already use that separator.
So are you saying this to show that it's fine to use TAG as APP-NAME? If that's the case then fine, but it's a pity we'd be using TAG twice (from what i understand from your code) |
|
@tiborvass the reason to use the TAG twice is in order to comply with the RFC. We can omit the second tag, putting |
|
Should we change the format in a .1 release? Looking at #20053, I wonder if we should just strip the |
|
@thaJeztah please note that maxim length of rsyslogtag is |
|
@thaJeztah, @tiborvass I think we should not add this change as a fix for #20053. The parsing issue is very unfortunate, but we should not change the format in the patch release. After all, it's not really a bug in the syslog logger implementation, it works as expected, it's an issue with the user defined tag. See #20053 (comment) |
|
@tiborvass @calavera Am I correct in my understanding that we shouldn't proceed with this PR as per your comments above? |
|
@calavera The problem will also suffice if colon is used in "repository name", which can be if you are using custom docker repository in non standard port, the ":" serves as a host port separator as well. One proposal can be to keep the rfc 3164 for standard tag (which is id) and only use rfc5424 when non standard tag is used. |
|
One more crazy alternative would be to add an additional parameter and allow user to specify the rfc that he wants to use for syslog. |
|
@solganik I'm not against changing the rfc, or making it configurable, but we should look into it and I don't think we should change to a different rfc in a patch release |
|
Definitely should not change the format from the default, but seems fine to add an option to switch between the two. From past discussions it seems like this is a hot-button issue between people who need 1 RFC vs the other. |
|
ping @solganik can you update this PR to make the format configurable through an option? |
|
@thaJeztah any preffered name to the flag ? |
|
done |
|
sigh, network issues on Janky |
|
WindowsTP4 had network issues as well 😢 |
|
Restarted CI for those, fingers crossed |
|
@thaJeztah seems like all checks had passed .. |
thaJeztah
removed
the
status/failing-ci
|
ping @calavera @cpuguy83 ptal 👍 (@sashas-lb yay, it did! removed the "failing-ci" label \o/) |
|
LGTM |
|
If a non-unix address is specified, should we default to the 3164 format or were we always sending a unix format? Not sure I follow what the old code did. |
| func parseLogFormat(logFormat string) (syslog.Formatter, syslog.Framer, error) { | ||
| switch logFormat { | ||
| case "": | ||
| return syslog.UnixFormatter, syslog.DefaultFramer, nil |
There was a problem hiding this comment.
this should probably be syslog.DefaultFormatter to keep backwards compatibility, shouldn't it?
There was a problem hiding this comment.
actually, this should probably be under the default: case. Because empty string is the default value.
There was a problem hiding this comment.
Hi, @calavera @thaJeztah: current format keeps srslog behaviour as before the changes, please checkout the srs old code:
https://github.com/RackSec/srslog/blob/1155efef850aadc39aa84576f83a595a6fbdce74/srslog_unix.go#L42
formatter: "<%d>%s %s[%d]: %s"
timestamp := time.Now().Format(time.Stamp)
Now for the master srslog code:
https://github.com/RackSec/srslog/blob/master/formatter.go
default: "<%d> %s %s %s[%d]: %s"
timestamp := time.Now().Format(time.RFC3339)
unix "<%d>%s %s[%d]: %s"
timestamp := time.Now().Format(time.Stamp)
rfc3164 "<%d> %s %s %s[%d]: %s"
timestamp := time.Now().Format(time.Stamp)
So current code which defaults to unixformatter actually preserves original docker behaviour.
There was a problem hiding this comment.
@calavera but moving it under default doesn't catch the "default", it catches anything that isn't defined, so --log-format=bogus would use the default, instead of producing an error?
|
LGTM |
1 similar comment
|
LGTM |
|
Was it intentional to switch from using the DefaultFormatter https://github.com/RackSec/srslog/blob/259aed10dfa74ea2961eddd1d9847619f6e98837/formatter.go#L17 to the UnixFormatter ? https://github.com/RackSec/srslog/blob/259aed10dfa74ea2961eddd1d9847619f6e98837/formatter.go#L25 For the default ""? f500951#diff-204077a41ab69608a9d60e20344fab80R238 |
|
As far as i remember the "old" default formater became "unix fomater". I mean for "content" of course, check "default" formatter at the "previous" hash of syslogf package that is in use by docker. |
|
It at least changed from |
|
I see where all confusion is from :
See this: -clone git github.com/RackSec/srslog 6eb773f331e46fbba8eecb8e794e635e75fc04de Now if you check the relevant file of the "6eb773f331e46fbba8eecb8e794e635e75fc04de" commit in srslog project you will see that the formatter they use is:
But somehow in "docker" project itself the "copy" of srslog project used this: So de-facto seems that @a86c6f7964 is correct timestemp was in - timestamp := time.Now().Format(time.RFC3339) If this is a critical issue i guess this can be fixed by creating cutome formatter to keep backwards compatability. Unrelated but @thaJeztah there is an issue with vendoring process. |
|
I'm not sure it is a critical issue. I just wanted to bring it up for On Thu, Jul 7, 2016, 2:55 AM sashas-lb [email protected] wrote:
|
Use rfc5424 log format for syslog.
Previously docker used obsolete rfc3164 syslog format for syslog. rfc3164 explicitly
uses semicolon as a separator between 'TAG' and 'Content' section of the log message.
Docker uses semicolon as a separator between image name and version tag.
When {{.ImageName}} was used as a tag expression and contained ":" syslog parser mistreated
"tag" part of the image name as syslog message body, which resulted in incorrect "syslogtag" been reported by syslog
daemon.
Use of rfc5424 log format partually fixes the issue as it does not use semicolon as a separator.
However using default rfc5424 syslog format itroduces backward incompatability because rsyslog template keyword %syslogtag%
is parsed differently. In rfc3164 it uses the "TAG" part reported before the "pid" part. In rfc5424 it uses "appname" part reported
before the pid part, while tag part is introduced by %msgid% part.
For more information on rsyslog configuration properties see: http://www.rsyslog.com/doc/master/configuration/properties.html