Project

General

Profile

Bug #6975

<Hostname> is omitted when sending logs on syslog

Added by Idar Lund almost 4 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
High
Assignee:
-
Category:
Logging
Target version:
-
Start date:
11/30/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.3.2
Affected Architecture:
All

Description

When sending "filterlog" over syslog the standard defined in https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2 (<Timestamp> <Hostname> filterlog: <CSV data>) is not followed.

Filterlog log messages sent over syslog looks like this;
Nov 30 10:52:35 filterlog: 9,16777216,,1000000103,em0,match,block,in,4,0x0,,54,15133,0,none,6,tcp,40,x.x.x.x,x.x.x.x,48224,7547,0,S,1482288191,,37965,,
The field <Hostname> is not sent.

History

#1 Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Rejected

Remote syslog data doesn't include the hostname, that is up to the receiving log server to handle.

#2 Updated by Idar Lund almost 4 years ago

Jim Pingle wrote:

Remote syslog data doesn't include the hostname, that is up to the receiving log server to handle.

That's wrong. It should include hostname. Also, some of the syslog sent from pfsense also includes that;
Dec 1 07:52:09 pfsense.effnet nginx: 10.5.10.105 - - [01/Dec/2016:07:52:09 +0100] "GET /widgets/widgets/suricata_alerts.widget.php?getNewAlerts=1480575129371 HTTP/1.1" 200 199 "https://10.5.20.1/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"

According to https://www.ietf.org/rfc/rfc3164.txt, a message that are sent to a remote host should include a header. In 4.1.2, the HEADER is explained; The HEADER contains two fields called the TIMESTAMP and the HOSTNAME. The TIMESTAMP will immediately follow the trailing ">" from the PRI part and single space characters MUST follow each of the TIMESTAMP and HOSTNAME fields. HOSTNAME will contain the hostname, as it knows itself. If it does not have a hostname, then it will contain its own IP address. If a device has multiple IP addresses, it has usually been seen to use the IP address from which the message is transmitted.

If you still consider this not a bug, you should 1; update https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2 accordingly. 2; change the behavor of the other messages transmitted from pfsense which includes the hostname.

Also available in: Atom PDF