freebsd stable - Jun 2018 - py-fail2ban turned silent after syslogd rollout (r335059, stable/11)

Hi Marek,

[ +glebius ]

Thanks for reporting this!

2018-06-22 18:54 GMT+02:00 Michael Grimm <trashcan at
ellael.org>:
>> Failed to parse TIMESTAMP from x.x.x.x: 12403: Jun 22 17:31:38 CEST:
>> %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/17,
>> changed state to down
>
> Ah, yes! Haven't thought about running syslogd in debugging mode:
>
>         Failed to parse TIMESTAMP from x.x.x.x: fail2ban.filter [79598]:
INFO [?]
This is interesting. As fail2ban uses Python's logging framework, I
managed to reproduce this with the following script:

#!/usr/bin/env python3
import logging.handlers
logging.basicConfig(handlers=[
    logging.handlers.SysLogHandler(
        '/var/run/log',
facility=logging.handlers.SysLogHandler.LOG_LOCAL7)
])
logging.warning('Hi')

This will write the following message to syslogd:

sendto(3,"<188>WARNING:root:Hi\0",21,0,NULL,0)   = 21 (0x15)

This message gets rejected by syslogd, due to the change made in
r326573, which later got adjusted by me and subsequently MFCed:

https://svnweb.freebsd.org/base?view=revision&revision=326573

Gleb, what are your thoughts on the attached patch? It alters syslogd
to let the 'legacy' RFC 3164 parser also accept messages without a
timestamp. The time on the syslogd server will be used instead.

Michael, Marek, could you please give this patch a try? Thanks!

-- 
Ed Schouten <ed at nuxi.nl>
Nuxi, 's-Hertogenbosch, the Netherlands
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syslogd-optional-timestamp.diff
Type: text/x-patch
Size: 2720 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20180622/9f1e848e/attachment.bin>

On 22. Jun 2018, at 21:11, Ed Schouten <ed at nuxi.nl> wrote:
> Gleb, what are your thoughts on the attached patch? It alters syslogd
> to let the 'legacy' RFC 3164 parser also accept messages without a
> timestamp. The time on the syslogd server will be used instead.
> 
> Michael, Marek, could you please give this patch a try? Thanks!
Recompiled world (FreeBSD 11.2-STABLE r335532), substituted syslogd with the
re-compiled one, and:

Thank you! Your patch is working w.r.t. fail2ban logging to SYSLOG. Perfect!

Thank you very much for this fast fix, and regards,
Michael

Hi Ed,

On Fri, Jun 22, 2018 at 09:11:06PM +0200, Ed Schouten wrote:
E> > Ah, yes! Haven't thought about running syslogd in debugging mode:
E> >
E> >         Failed to parse TIMESTAMP from x.x.x.x: fail2ban.filter
[79598]: INFO [?]
E> 
E> This is interesting. As fail2ban uses Python's logging framework, I
E> managed to reproduce this with the following script:
E> 
E> #!/usr/bin/env python3
E> import logging.handlers
E> logging.basicConfig(handlers=[
E>     logging.handlers.SysLogHandler(
E>         '/var/run/log',
facility=logging.handlers.SysLogHandler.LOG_LOCAL7)
E> ])
E> logging.warning('Hi')
E> 
E> This will write the following message to syslogd:
E> 
E> sendto(3,"<188>WARNING:root:Hi\0",21,0,NULL,0)   = 21
(0x15)
E> 
E> This message gets rejected by syslogd, due to the change made in
E> r326573, which later got adjusted by me and subsequently MFCed:
E> 
E> https://svnweb.freebsd.org/base?view=revision&revision=326573
E> 
E> Gleb, what are your thoughts on the attached patch? It alters syslogd
E> to let the 'legacy' RFC 3164 parser also accept messages without a
E> timestamp. The time on the syslogd server will be used instead.
E> 
E> Michael, Marek, could you please give this patch a try? Thanks!

I didn't examine the patch thoroughly, but I agree that looks like
we have no other choice as to support the legacy and normal messages
at the same time.

-- 
Gleb Smirnoff

On Fri, Jun 22, 2018 at 09:11:06PM +0200, Ed Schouten
wrote:
> Hi Marek,
> 
> [ +glebius ]
> 
> Thanks for reporting this!
> 
> 2018-06-22 18:54 GMT+02:00 Michael Grimm <trashcan at ellael.org>:
> >> Failed to parse TIMESTAMP from x.x.x.x: 12403: Jun 22 17:31:38
CEST:
> >> %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/17,
> >> changed state to down
> >
> > Ah, yes! Haven't thought about running syslogd in debugging mode:
> >
> >         Failed to parse TIMESTAMP from x.x.x.x: fail2ban.filter
[79598]: INFO [?]
> 
> This is interesting. As fail2ban uses Python's logging framework, I
> managed to reproduce this with the following script:
> 
> #!/usr/bin/env python3
> import logging.handlers
> logging.basicConfig(handlers=[
>     logging.handlers.SysLogHandler(
>         '/var/run/log',
facility=logging.handlers.SysLogHandler.LOG_LOCAL7)
> ])
> logging.warning('Hi')
> 
> This will write the following message to syslogd:
> 
> sendto(3,"<188>WARNING:root:Hi\0",21,0,NULL,0)   = 21
(0x15)
> 
> This message gets rejected by syslogd, due to the change made in
> r326573, which later got adjusted by me and subsequently MFCed:
> 
> https://svnweb.freebsd.org/base?view=revision&revision=326573
> 
> Gleb, what are your thoughts on the attached patch? It alters syslogd
> to let the 'legacy' RFC 3164 parser also accept messages without a
> timestamp. The time on the syslogd server will be used instead.
> 
> Michael, Marek, could you please give this patch a try? Thanks!
> 
Hi Ed,

Thank you for expedited effort.
Patch compiles fine and I can confirm, that it resolves the issue.

-- 
Marek Zarychta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20180622/3d42c1be/attachment.sig>