Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 Jun 2018 13:07:51 -0700
From:      Gleb Smirnoff <glebius@freebsd.org>
To:        Ed Schouten <ed@nuxi.nl>
Cc:        Michael Grimm <trashcan@ellael.org>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, Mailing List FreeBSD Ports <freebsd-ports@freebsd.org>, "ed@FreeBSD.org" <ed@freebsd.org>, theis@gmx.at
Subject:   Re: py-fail2ban turned silent after syslogd rollout (r335059, stable/11)
Message-ID:  <20180622200751.GD1103@cell.glebi.us>
In-Reply-To: <CABh_MKkdObTmbNXnKrudyHjkd8s3aukUUC=Vee%2BRShJepWpwNg@mail.gmail.com>
References:  <590A1B87-464D-455C-A03D-9908EB7AF286@ellael.org> <20180622155922.GA61217@plan-b.pwste.edu.pl> <697FFEFE-6AFB-45CE-ADCD-4DB10286E68B@ellael.org> <CABh_MKkdObTmbNXnKrudyHjkd8s3aukUUC=Vee%2BRShJepWpwNg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
  Hi Ed,

On Fri, Jun 22, 2018 at 09:11:06PM +0200, Ed Schouten wrote:
E> > Ah, yes! Haven't thought about running syslogd in debugging mode:
E> >
E> >         Failed to parse TIMESTAMP from x.x.x.x: fail2ban.filter [79598]: INFO […]
E> 
E> This is interesting. As fail2ban uses Python's logging framework, I
E> managed to reproduce this with the following script:
E> 
E> #!/usr/bin/env python3
E> import logging.handlers
E> logging.basicConfig(handlers=[
E>     logging.handlers.SysLogHandler(
E>         '/var/run/log', facility=logging.handlers.SysLogHandler.LOG_LOCAL7)
E> ])
E> logging.warning('Hi')
E> 
E> This will write the following message to syslogd:
E> 
E> sendto(3,"<188>WARNING:root:Hi\0",21,0,NULL,0)   = 21 (0x15)
E> 
E> This message gets rejected by syslogd, due to the change made in
E> r326573, which later got adjusted by me and subsequently MFCed:
E> 
E> https://svnweb.freebsd.org/base?view=revision&revision=326573
E> 
E> Gleb, what are your thoughts on the attached patch? It alters syslogd
E> to let the 'legacy' RFC 3164 parser also accept messages without a
E> timestamp. The time on the syslogd server will be used instead.
E> 
E> Michael, Marek, could you please give this patch a try? Thanks!

I didn't examine the patch thoroughly, but I agree that looks like
we have no other choice as to support the legacy and normal messages
at the same time.

-- 
Gleb Smirnoff

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180622200751.GD1103>