Strange behaviour of the facility value by using syslog/tcp
volker_zeihs Apr 21, 2016 3:37 AMHi,
I want to send all my JBoss log information to a sylog-ng server, by using tcp.
I found the following redhat solution:
https://access.redhat.com/solutions/1119893
So I implement that in a simple test environment and get some strange behaviour in relation to the facility value.
If I use TCP and one of the local facility’s, the first log line has the correct facility, but all lines below get the facility "user".
To localize the error I have made three simple tests. They are described below.
I also double checked the syslog-ng server witch some other application under use of tcp and some different facility’s.
First some global configurations and versions.
syslog-ng 2.0.9
Red Hat JBoss Enterprise Application Platform - Version 6.4.6.GA
SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 3
JAVA_VERSION="1.8.0_66"
root logger configuration in the standalone.xml
... <root-logger> <level name="INFO"/> <handlers> <handler name="CONSOLE"/> <handler name="FILE"/> <handler name="SYSLOG"/> </handlers> </root-logger> ...
The important parts of the syslog configfile.
... source src_net { tcp(ip("0.0.0.0") port(5141)); udp(ip("0.0.0.0") port(514)); }; ... destination networkMessages { file("/var/log/networkMessages" template("ISODATE=$ISODATE FACILITY=$FACILITY PROGRAM=$PROGRAM TAG=$TAG FULLHOST=$FULLHOST MSG=$MESSAGE \n") ); }; log { source(src_net); destination(networkMessages); }; ...
TEST ONE
JBoss logging handler (uses TCP and facility=user)
<custom-handler name="SYSLOG" class="org.jboss.logmanager.handlers.SyslogHandler" module="org.jboss.logmanager"> <encoding value="ISO-8859-1"/> <formatter> <pattern-formatter pattern="%-5p [%c] (%t) %s%E%n"/> </formatter> <properties> <property name="appName" value="JBossEAP-SYSLOG-TEST"/> <property name="facility" value="USER_LEVEL"/> <property name="serverHostname" value="*.*.*.*"/> <property name="hostname" value="-"/> <property name="port" value="5141"/> <property name="syslogType" value="RFC5424"/> <property name="protocol" value="TCP"/> <property name="messageDelimiter" value="-"/> <property name="useMessageDelimiter" value="true"/> </properties> </custom-handler>
The first two lines of the syslog output
ISODATE=2016-04-20T10:02:14+02:00 FACILITY=user PROGRAM=1 TAG=0e FULLHOST=***** MSG=1 2016-04-20T10:02:13.990+02:00 - JBossEAP-SYSLOG-TEST 62384 org.jboss.modules - INFO [org.jboss.modules] (main) JBoss Modules version 1.3.7.Final-redhat-1 ISODATE=2016-04-20T10:02:14+02:00 FACILITY=user PROGRAM=-<14>1 TAG=0d FULLHOST=***** MSG=-<14>1 2016-04-20T10:02:14.309+02:00 - JBossEAP-SYSLOG-TEST 62384 org.jboss.msc - INFO [org.jboss.msc] (main) JBoss MSC version 1.1.5.Final-redhat-1
NOTE: all like expected
TEST TWO
JBoss logging handler (uses UDP and facility=local1)
<custom-handler name="SYSLOG" class="org.jboss.logmanager.handlers.SyslogHandler" module="org.jboss.logmanager"> <encoding value="ISO-8859-1"/> <formatter> <pattern-formatter pattern="%-5p [%c] (%t) %s%E%n"/> </formatter> <properties> <property name="appName" value="JBossEAP-SYSLOG-TEST"/> <property name="facility" value="LOCAL_USE_1"/> <property name="serverHostname" value="*.*.*.*"/> <property name="hostname" value="-"/> <property name="port" value="514"/> <property name="syslogType" value="RFC5424"/> <property name="protocol" value="UDP"/> <property name="messageDelimiter" value="-"/> <property name="useMessageDelimiter" value="true"/> </properties> </custom-handler>
The first two lines of the syslog output
ISODATE=2016-04-20T10:08:31+02:00 FACILITY=local1 PROGRAM=1 TAG=8e FULLHOST=***** MSG=1 2016-04-20T10:08:31.322+02:00 - JBossEAP-SYSLOG-TEST 63794 org.jboss.modules - INFO [org.jboss.modules] (main) JBoss Modules version 1.3.7.Final-redhat-1 - ISODATE=2016-04-20T10:08:31+02:00 FACILITY=local1 PROGRAM=1 TAG=8e FULLHOST=***** MSG=1 2016-04-20T10:08:31.620+02:00 - JBossEAP-SYSLOG-TEST 63794 org.jboss.msc - INFO [org.jboss.msc] (main) JBoss MSC version 1.1.5.Final-redhat-1 -
NOTE: all like expected
TEST THREE
JBoss Loging handler (uses TCP and facility=local1)
<custom-handler name="SYSLOG" class="org.jboss.logmanager.handlers.SyslogHandler" module="org.jboss.logmanager"> <encoding value="ISO-8859-1"/> <formatter> <pattern-formatter pattern="%-5p [%c] (%t) %s%E%n"/> </formatter> <properties> <property name="appName" value="JBossEAP-SYSLOG-TEST"/> <property name="facility" value="LOCAL_USE_1"/> <property name="serverHostname" value="*.*.*.*"/> <property name="hostname" value="-"/> <property name="port" value="5141"/> <property name="syslogType" value="RFC5424"/> <property name="protocol" value="TCP"/> <property name="messageDelimiter" value="-"/> <property name="useMessageDelimiter" value="true"/> </properties> </custom-handler>
The first two lines of the syslog output
ISODATE=2016-04-20T10:03:58+02:00 FACILITY=local1 PROGRAM=1 TAG=8e FULLHOST=***** MSG=1 2016-04-20T10:03:58.663+02:00 - JBossEAP-SYSLOG-TEST 62775 org.jboss.modules - INFO [org.jboss.modules] (main) JBoss Modules version 1.3.7.Final-redhat-1 ISODATE=2016-04-20T10:03:58+02:00 FACILITY=user PROGRAM=-<142>1 TAG=0d FULLHOST=***** MSG=-<142>1 2016-04-20T10:03:58.945+02:00 - JBossEAP-SYSLOG-TEST 62775 org.jboss.msc - INFO [org.jboss.msc] (main) JBoss MSC version 1.1.5.Final-redhat-1
NOTE: first line like expected, all other have the facility user
Why is that?
Is there a Bug, or is there a mistake in the configuration?
Attachments: full standalone.xml
-
standalone.xml.zip 3.7 KB