summaryrefslogtreecommitdiff
path: root/usr.sbin/syslogd
AgeCommit message (Collapse)Author
2023-10-19syslogd(8) counts dropped UDP packets.Alexander Bluhm
Now that syslogd handles delayed DNS lookups, also count dropped packets to UDP loghosts. Although not every outgoing UDP packet dropped along the path can be detected, the message makes the admin aware that there is a local blind spot during startup. Improve debug and log messages, especially if UDP logging is shut down permanently. Also do not print 'last message repeated' if the message was dropped. OK deraadt@
2023-10-12Retry DNS lookup for remote loghost.Alexander Bluhm
If DNS lookup for a remote loghost configured in syslog.conf did not work at startup, the entry was ignored. Better retry the lookup in intervals until it succeeds. Improve debug output to print IP address after resolution. Unify retry code that resolves DNS for UDP and connects to TCP server. testing and feedback from Paul de Weerd; OK deraadt@
2023-08-11Replace use of the old BSD st_*timespec members in struct stat withPhilip Guenther
the POSIX-standard st_*tim members. ok millert@
2023-03-16When syslogd is sending messages via UDP to a remote loghost, itAlexander Bluhm
stops if there is a permanent error. Add EACCES generated by pf to the list of transient errors. This restores pre-6.5 behavior and continues logging after pf.conf has been fixed. OK millert@ deraadt@ mvs@
2023-03-08Delete obsolete /* ARGSUSED */ lint comments.Philip Guenther
ok miod@ millert@
2022-12-28spelling fixes; from paul tagliamonteJason McIntyre
any parts of his diff not taken are noted on tech
2022-06-16OpenBSD syslogd(8) escapes binary data with vis(3). Use theAlexander Bluhm
VIS_NOSLASH option to avoid additional backslashes. Although this option prevents to decode binaries, it makes automatic post processing easier. Formats like JSON use backslash escaping themself, additional escaping from syslogd would break SIEM systems. vis protection was introduced to avoid evil characters in log files and not to make binary logging possible. from Matthias Pitzl; OK deraadt@
2022-05-04Variable pri is uninitialized, use msg.m_pri instead. This affectsAlexander Bluhm
the priority of userland messages with kernel or unspecified facility. broken in previous commit; fix from markus@
2022-03-22Call tls_close() in libevent TLS wrapper of syslogd when the otherAlexander Bluhm
side terminates the TLS connection. It results in a proper shutdown and the TLS peer has a chance to detect errors. This is expecially important for the client side. Due to the reduced TLS 1.3 handshake, errors might be undetected and log messages dropped silently. By doing a matching TLS shutdown on his side, the client can receive the error. Instead of checking socket writability and calling tls_close() repeatedly, syslogd calls it only once. As the other side has closed the connection anyway it is our turn to write the shutdown message. Do not care about errors here and avoid complexity. OK tb@
2022-01-13Move parsing of incoming syslog messages to their own section.Martijn van Duren
This should make it more manageable. No functional change intended, debugging output slightly changed. help from and OK bluhm@
2021-12-13including sys/cdefs.h manually started as a result of netbsd trying toTheo de Raadt
macro-build a replacement for sccsid, and was done without any concern for namespace damage. Unfortunately this practice started infecting other code as others were unaware they didn't need the file. ok millert guenther
2021-11-10When sending via UDP, syslogd(8) can use iovec with sendmsg(2)Alexander Bluhm
instead of copying the strings with snprintf(3). OK martijn@
2021-10-24For open/openat, if the flags parameter does not contain O_CREAT, theTheo de Raadt
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past have passed mode_t (0, 044, 0644, or such), which might lead future people to copy this broken idiom, and perhaps even believe this parameter has some meaning or implication or application. Delete them all. This comes out of a conversation where tb@ noticed that a strange (but intentional) pledge behaviour is to always knock-out high-bits from mode_t on a number of system calls as a safety factor, and his bewilderment that this appeared to be happening against valid modes (at least visually), but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef. ok millert
2021-09-19The LocalDomain in syslogd(8) is not used, remove variable.Alexander Bluhm
Use RFC 5424 NILVALUE as fallback for LocalHostName. OK millert@ mvs@
2021-09-10When writing a message, syslogd did a combination of puttingAlexander Bluhm
everything into an iov and do some sprintf() formating later. Better put everything into the iov upfront based on what the output methods need. Then either the full iov is written or a line is created by concatenating. OK martijn@
2021-09-03Make sure that strings passed to printline() are always NUL terminated.Alexander Bluhm
There was a corner case with a very long message received over TCP or TLS where this was not clear. Force a '\0' where this line is truncated. OK martijn@ deraadt@
2021-09-03Use a define for the iov array size in syslogd. This is betterAlexander Bluhm
than passing the magic number 6 around and checking at runtime whether its fits. OK deraadt@ martijn@ mvs@
2021-07-14Remove unneeded calls to tls_init(3)kn
As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove explicit tls_init() calls from base to not give the impression of it being needed. Feedback tb OK Tests mestre
2021-07-12Change the error reporting pattern throughout the tree when unveilBob Beck
fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@
2021-03-09Early daemons like dhcpleased(8), slaacd(8), unwind(8), resolvd(8)Alexander Bluhm
are started before syslogd(8). This resulted in ugly sendsyslog(2) dropped logs and the real message was lost. Create a temporary stash for log messages within the kernel. It has a limited size of 100 messages, and each message is truncated to 8192 bytes. When the stash is exhausted, the well-known dropped message is generated with a counter. After syslogd(8) has setup everything, it sends a debug line through libc to flush the kernel stash. Then syslogd receives all messages from the kernel before the usual logs. OK deraadt@ visa@
2020-09-16close all fds > STDERR_FILENO before executing the pipe program.Martijn van Duren
OK bluhm@
2020-09-14Established TCP and TLS sockets of syslogd did stay open foreverAlexander Bluhm
if a client aborted the connection silently. As syslogd does not write anything into incoming connections, it will not recognize failure. Setting TCP keep alive on the listen socket does prevent that for accecpted sockets. Note that outgoing connections do not need it as syslogd will write data into them. noticed by dhill@; OK millert@ beck@ deraadt@
2020-05-25When DNS lookup of an UDP loghost failed, syslogd(8) did close theAlexander Bluhm
UDP sockets for sending messages. Keep the sockets open if the config allows to send UDP. Then they can be used to send if DNS is working during the next SIGHUP. bug reported and fix tested by sven falempin; OK millert@
2019-07-05When syslogd(8) parent process terminates, the file cleanup codeAlexander Bluhm
did not work anymore. unveil(2) prevented removal. Cleaning the UNIX domain sockets is not necessary. They are harmless and unlinked before a new bind. So delete that functionality and convert global to local variables. Providing /var/run/syslog.pid is a common feature that should be kept. A stale pid file is confusing. So add a constant path to unveil(2) to allow pid file removal. OK deraadt@
2019-07-02React properly to the very unlikely cases where snprintf(3) mayAlexander Bluhm
fail. Log the message without formating, that is the best syslogd(8) can do. OK deraadt@
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-01-18Increase the socket buffer size for sendsyslog(2) to 1 MB. DuringAlexander Bluhm
bursts it is possible that syslogd(8) cannot process messages fast enough. The larger kernel buffer allows to work them off in more time. Then fewer dropped messages are reported. problem found by millert@; OK claudio@ deraadt@
2019-01-13document how program names are extracted from log linesIngo Schwarze
in order to select syslog.conf(5) line blocks
2019-01-13When parsing log lines in order to select syslog.conf(5) line blocks, supportIngo Schwarze
program names containing period ('.') and underscore ('_') ASCII characters. Missing feature reported by and patch tested by Kawashima underscore James at yahoo dot co dot jp. "Makes sense." deraadt@
2018-11-29Honor SIGINT/QUIT when running in foregroundkn
Allows stopping `syslogd -F' with ^C. OK bluhm
2018-09-27Document how syslogd(8) escapes characters in log lines.Alexander Bluhm
input jmc@; OK sthen@
2018-09-02Document how SIGHUP and log rotation works with syslogd(8). Do notAlexander Bluhm
mention the PID file. While there, use .Nm consistently. wording from schwarze@; deraadt@ cheloha@ millert@ agree
2018-08-31Unsetting Initialized during syslogd die() is a relic from the timeAlexander Bluhm
when we had real signal handlers. But now we use libevent, so remove the old logic. OK deraadt@ millert@
2018-08-07Unveil fits nicely into the syslogd privsep model. Unveiled filesTheo de Raadt
include config file "r", utmp "r", /dev "rw", /bin/sh "x" for running piped commands, and the syslogd binary "x" itself for HUP re-exec upon config loads with changes. Also unveiled in the privsep process are the specific log files being written to. If a config file reload changes no files, the existing privsep process keeps running with unveil's to the relevant files (therefore it can cope with newsyslogd taking files away). If a new config file is loaded which changes the output files, the privsep process is restarted with fork+exec, and installs new unveils as needed. The safety we gain from unveil is that we've pigeonholed the privsep file-writer to exactly the files required. Help from bluhm for some edge cases.
2018-07-23Point to glob in section 7 for the actual list of special characters insteadkn
the C API in section 3. OK millert jmc nicm, "the right idea" deraadt
2018-07-17allow shell globs to match program and hostname selector tags viaDamien Miller
fnmatch(3); ok sthen@ bluhm@
2018-04-26Globally remember the passwd entry for _syslogd. The user id isAlexander Bluhm
used for opening the pipe process. Move the getpwnam() lookup out of the privsep parent loop, so it does not need "getpw" pledge anymore. OK deraadt@
2018-04-08AF_LOCAL was a failed attempt (by POSIX?) to seem less UNIX-specific, butPhilip Guenther
AF_UNIX is both the historical _and_ standard name, so prefer and recommend it in the headers, manpages, and kernel. ok miller@ deraadt@ schwarze@
2018-02-02convert the remaining examples to full sentences;Jason McIntyre
2018-02-01Add an example on how to log messages coming from a given host to aLandry Breuil
specific logfile. ok sthen@ millert@
2018-01-27Add missing `l' prefix to linker flag and markup SIGHUP; ok jmc@anton
2017-11-24Revert my change to ignore EIO errors when writing to log files.Alexander Bluhm
Syslogd continued logging messages to a file that had an EIO error. This could slow down the whole system. File system errors may cause huge delays at every access. This prevented debugging the issue. Now syslogd will log a warning and shut down logging to this file until restart or SIGHUP. OK deraadt@ espie@ millert@
2017-10-23When the partition of /var/log was full, syslogd(8) stopped writingAlexander Bluhm
to files located there. It did this permanently, so cleaning /var without SIGHUP to syslogd did not help. Better retry, write an error message to other log hosts, and write a summary of dropped messages after it works again. OK millert@ friehm@
2017-10-05When syslogd writes some startup errors to stderr or console, theyAlexander Bluhm
never appear in any log file. After initialization, write a summary into log files and to remote log host. So the problem shows up, when someone is looking at the persistent messages. Print the "dropped message" warning in a common function. OK sthen@ millert@
2017-10-05I have touched more than half the source code lines of syslogd(8).Alexander Bluhm
Add my copyright explicitly.
2017-10-02Also ignore "Can't assign requested address" error when sendto(2)Alexander Bluhm
to UDP loghost fails. Otherwise syslogd(8) would no longer send to this destination after the error occured once. tested by Rivo Nurges; OK millert@ benno@ deraadt@
2017-09-27Document how ioctl(2) LIOCSFD on /dev/klog registers a socket pairAlexander Bluhm
to receive sendsyslog(2) messages. discussed with martijn@; OK jmc@ deraadt@
2017-09-17syslogd has special code to report errors before it has beenAlexander Bluhm
initialized. For every message it did reopen the console with file descriptor passing from the privsep parent. Now preopen the console, so writing the message out works in more cases. If the console has been revoked, a reopen via privsep and write again is tried anyway. OK brynet@ deraadt@ jca@
2017-09-17When writing local output, syslogd ignores EAGAIN. UnfortunatelyAlexander Bluhm
it has closed the file descriptor before checking the errno. So f_file contained a bad file descriptor that could be reused at the next open. Keep the file open if errno is EAGAIN. Move the close(2) down where the old file descriptor in f_file is overwritten in all cases. OK deraadt@ jca@
2017-09-12In the default configuration syslogd(8) kept two *:514 UDP socketsAlexander Bluhm
open. These sockets are used for sending UDP packets if there is a UDP loghost in syslog.conf(5). If syslogd is started with -u, they can receive packets, otherwise they are disabled with shutdown(SHUT_RD). In case syslogd does neither send nor receive, close the sockets after reading the configuration file. This gives us a cleaner netstat output, and the ports are not reported by port scanners. This has no security implication. OK benno@ jca@ sthen@ deraadt@