Date: Thu, 20 Dec 2018 11:37:21 +0000 From: Matt Churchyard <matt.churchyard@userve.net> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: FreeBSD 12 Log Format Message-ID: <45953978cb214d1fa99e9ba58ab52a12@SERVER.ad.usd-group.com>
next in thread | raw e-mail | index | archive | help
Hello, I'm having some strange issues with the log format on one (only one of two.= ..) of my FreeBSD 12 installs. Both of these were upgraded from a previous version as I had an older insta= ller available, but are pretty much stock. However, one of these is logging in a new format (I see references around t= he commits to the inclusion of an rfc5424 format which seems to look very s= imilar to what I'm seeing) Dec 17 15:27:46 ftp 1 2018-12-17T15:27:46.576942+00:00 host.name.fqdn pkg-s= tatic 75241 - - pkg-1.10.5_5 installed As far as I'm aware, it shouldn't be doing this unless I specifically choos= e to change the syslog format via rc.conf? I really don't know what's going on as some logs such as maillog are still = in the original format. It's not really a problem for me, I just can't unde= rstand why I'm seeing this on one server, but not another. The forum link below is mine, but there's also a GitHub issue regarding bas= e ssh logs seeing the same problem. (It was actually trying to configure fa= il2ban that got me looking at this in the first place) https://forums.freebsd.org/threads/freebsd-12-log-format-fail2ban-not-match= ing.68806/#post-410670 https://github.com/fail2ban/fail2ban/issues/2309 Just as another note, I started writing a fail2ban regex for this using the= 5424 rfc, and as far as I can see there's a non-optional (at least I can't= see mention of optional in the spec)** PRI value which should be before th= is version number, which doesn't appear to be there. Also of course the tim= estamp and hostname is duplicated at the start, although I believe that was= kept on purpose. ** "The PRI part MUST have three, four, or five characters and will be boun= d with angle brackets as the first and last characters." Regards, Matt Churchyard
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45953978cb214d1fa99e9ba58ab52a12>