Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LOG-6236: Align syslog output implementation with spec RFC3164 and RFC5124 #2830

Merged
merged 1 commit into from
Dec 11, 2024
Merged

LOG-6236: Align syslog output implementation with spec RFC3164 and RFC5124 #2830

merged 1 commit into from
Dec 11, 2024

Conversation

vparfonov
Copy link
Contributor

@vparfonov vparfonov commented Oct 15, 2024
edited
Loading

Description

This PR addressed to align Syslog Output with syslog specification RFC3164 and RFC5424

Default values for fields:

RFC3164

Format: <PRI>TIMESTAMP HOSTNAME TAG: MESSAGE
Example:<34>Oct 11 22:14:15 mymachine su[1234]: 'su root' failed for lonvick on /dev/pts/

journal application infrastructure note
AppName SYSLOG_IDENTIFIER* namespacePodContainer .log_source
ProcId _PID* N/A .auditID (if available)
MsgId N/A N/A N/A will have no effect in settings
Payloadkey .message .message .message
Severity N/A .level information (6)
Facility N/A user (1) security(13)

*If ProcId available, it will aggregate with AppName in the .tag field: appname[procid]

RFC5424

Format: <PRI> VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [STRUCTURED-DATA] MESSAGE
Example: <PRI>1 2024-11-08T14:35:04.123Z ip-10-0-88-196.ec2.internal app-name 1234 ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] This is a sample message

journal application infrastructure
AppName SYSLOG_IDENTIFIER namespace_pod_container .log_source
ProcId _PID pod_id .auditID (if available)
MsgId .log_source .log_source .log_sourcel
Payloadkey .message .message .message
Severity N/A .level information (6)
Facility N/A user (1) security(13)

Changes:

  • add calculation for default value if field not configured according to the table above
  • fix configuration for deployed syslog server in functional test to follow RFC3164 specification

/cc @cahartma @Clee2691
/assign @jcantrill

/cherry-pick

Links

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 15, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Oct 15, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@vparfonov vparfonov changed the title Add functional test infrastructure -> syslog Align syslog output implementation with spec Nov 4, 2024
jcantrill
jcantrill reviewed Nov 4, 2024
View reviewed changes
internal/generator/vector/output/syslog/rfc3164_with_app_name_setting.toml Outdated
source = '''
. = merge(., parse_json!(string!(.message))) ?? .

.tag = to_string!(.systemd.u.SYSLOG_IDENTIFIER[.systemd.t.PID] || .systemd.u.SYSLOG_IDENTIFIER || "-")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we want the fallback to be empty spaces for all of these. Fluentd used "-" but I do not see where dash is anything in the spec

@vparfonov
Copy link
Contributor Author

/test all

@vparfonov
Copy link
Contributor Author

/test all

@vparfonov vparfonov changed the title Align syslog output implementation with spec LOG-6236: Align syslog output implementation with spec RFC3164 and RFC5124 Nov 8, 2024
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Nov 8, 2024
@openshift-ci-robot
Copy link

@vparfonov: This pull request references LOG-6236 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.8.0" version, but no target version was set.

In response to this:

Description

This PR addressed to align CLO Syslog Output with syslog specification RFC3164 and RFC5424

RFC3164

Format: <PRI> TIMESTAMP HOSTNAME TAG: MESSAGE
<34>.@timestamp .hostname .tag: .message
Example:
<34>Oct 11 22:14:15 mymachine su[1234]: 'su root' failed for lonvick on /dev/pts/

journal application infrastructure
AppName SYSLOG_IDENTIFIER* namespace_pod_container .log_source
ProcId _PID* N/A .auditID or "-" l
MsgId N/A .log_source .log_sourcel
Payloadkey .message .message .message
Severity N/A .level information (6)
Facility N/A user (1) security(13)

/cc
/assign

/cherry-pick

Links

  • Depending on PR(s):
  • Bugzilla:
  • Github issue:
  • JIRA:
  • Enhancement proposal:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@vparfonov vparfonov marked this pull request as ready for review November 8, 2024 15:45
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 8, 2024
@cahartma
Copy link
Contributor

cahartma commented Nov 8, 2024

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 8, 2024
jcantrill
jcantrill reviewed Nov 8, 2024
View reviewed changes
internal/generator/vector/output/syslog/syslog.go
})
}

if s.ProcId != "" {
if s.ProcId == "" {
s.ProcId = `{._internal.syslog.proc_id || "-"}`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My previous comment regarding "default" applies and the reason I really want to hash this out in the document of what the various scenarios look like. IMO the fallback should not be -; it should be empty

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes for RFC3164 should be empty, but for RFC5164 -. I will update

kattz-kawa
kattz-kawa reviewed Nov 14, 2024
View reviewed changes
internal/generator/vector/output/syslog/rfc3164_with_defaults.toml
inputs = ["application"]
source = '''
. = merge(., parse_json!(string!(.message))) ?? .
if .log_type == "infrastructure" && .log_source == "node" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vparfonov There might be logs with .log_type == "infrastructure" that do not have .log_source == "node". As far as I can see, I found that the logs from namespace_name=openshift-kube-apiserver and container_name=kube-apiserver do not have .log_source == "node". This line may need a conditional statement for container logs within the openshift-* namespace.

Copy link
Contributor Author

@vparfonov vparfonov Nov 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kattz-kawa Good point, it can be .log_source == "container", but it will be not journal log something closer to application logs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the only input to this transform truly is "application" logs, "application" is ever only container logs; it is never sourced from journald. This means we should alter the transforms accordingly

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this logic is correct, could simplify slightly :

  • if (node) - these are journald logs and we can map the syslog fields exactly from the logs.
    Note: 'if (node)' is equivalent to 'if (infra && node)' because all node logs are infra logs.
    The difference in format is really node vs. container, not application vs. infra.
  • if (container) - container logs are formatted the same regardless of type (application or infra)
  • if (audit) - audit logs formatted differently from either of the previous two cases.

@vparfonov
LOG-6236: Align syslog output implementation with spec RFC3164 and RF…
2b0ac9b 
…C5124

Signed-off-by: Vitalii Parfonov <vparfono@redhat.com>
@vparfonov
Copy link
Contributor Author

/retest

alanconway
alanconway approved these changes Nov 19, 2024
View reviewed changes
Copy link
Contributor

@alanconway alanconway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

internal/generator/vector/output/syslog/rfc3164_with_defaults.toml
inputs = ["application"]
source = '''
. = merge(., parse_json!(string!(.message))) ?? .
if .log_type == "infrastructure" && .log_source == "node" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this logic is correct, could simplify slightly :

  • if (node) - these are journald logs and we can map the syslog fields exactly from the logs.
    Note: 'if (node)' is equivalent to 'if (infra && node)' because all node logs are infra logs.
    The difference in format is really node vs. container, not application vs. infra.
  • if (container) - container logs are formatted the same regardless of type (application or infra)
  • if (audit) - audit logs formatted differently from either of the previous two cases.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 19, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alanconway, vparfonov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 19, 2024
@alanconway
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 19, 2024
@cahartma
Copy link
Contributor

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 11, 2024
@vparfonov
Copy link
Contributor Author

/retest

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Dec 11, 2024

@vparfonov: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit a3d72d9 into openshift:master Dec 11, 2024
8 checks passed
@vparfonov vparfonov deleted the log6236 branch December 11, 2024 17:22
@openshift-cherrypick-robot
Copy link

@vparfonov: cannot checkout <!--: error checking out "<!--": exit status 1 error: pathspec '<!--' did not match any file(s) known to git

In response to this:

Description

This PR addressed to align Syslog Output with syslog specification RFC3164 and RFC5424

Default values for fields:

RFC3164

Format: <PRI>TIMESTAMP HOSTNAME TAG: MESSAGE
Example:<34>Oct 11 22:14:15 mymachine su[1234]: 'su root' failed for lonvick on /dev/pts/

journal application infrastructure note
AppName SYSLOG_IDENTIFIER* namespacePodContainer .log_source
ProcId _PID* N/A .auditID (if available)
MsgId N/A N/A N/A will have no effect in settings
Payloadkey .message .message .message
Severity N/A .level information (6)
Facility N/A user (1) security(13)

*If ProcId available, it will aggregate with AppName in the .tag field: appname[procid]

RFC5424

Format: <PRI> VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [STRUCTURED-DATA] MESSAGE
Example: <PRI>1 2024-11-08T14:35:04.123Z ip-10-0-88-196.ec2.internal app-name 1234 ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] This is a sample message

journal application infrastructure
AppName SYSLOG_IDENTIFIER namespace_pod_container .log_source
ProcId _PID pod_id .auditID (if available)
MsgId .log_source .log_source .log_sourcel
Payloadkey .message .message .message
Severity N/A .level information (6)
Facility N/A user (1) security(13)

Changes:

  • add calculation for default value if field not configured according to the table above
  • fix configuration for deployed syslog server in functional test to follow RFC3164 specification

/cc @cahartma @Clee2691
/assign @jcantrill

/cherry-pick

Links

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@vparfonov
Copy link
Contributor Author

/cherry-pick release-6.1

@openshift-cherrypick-robot
Copy link

@vparfonov: new pull request created: #2905

In response to this:

/cherry-pick release-6.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Dec 11, 2024
Merged
@vparfonov vparfonov mentioned this pull request Dec 12, 2024
Merged
@vparfonov
Copy link
Contributor Author

/cherry-pick release-6.0

@openshift-cherrypick-robot
Copy link

@vparfonov: #2830 failed to apply on top of branch "release-6.0":

Applying: LOG-6236: Align syslog output implementation with spec RFC3164 and RFC5124
.git/rebase-apply/patch:37: space before tab in indent.
   	._internal.syslog.tag = replace(._internal.syslog.tag, r'[^a-zA-Z0-9]', "")
.git/rebase-apply/patch:92: space before tab in indent.
   	._internal.syslog.tag = join!([.kubernetes.namespace_name, .kubernetes.pod_name, .kubernetes.container_name], "")
.git/rebase-apply/patch:93: space before tab in indent.
   	._internal.syslog.severity = .level
.git/rebase-apply/patch:94: space before tab in indent.
   	._internal.syslog.facility = "user"
.git/rebase-apply/patch:95: space before tab in indent.
   	#Remove non-alphanumeric characters
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.
Using index info to reconstruct a base tree...
M	internal/generator/vector/output/syslog/syslog.go
M	internal/generator/vector/output/syslog/syslog_test.go
M	test/functional/outputs/syslog/forward_to_syslog_test.go
Falling back to patching base and 3-way merge...
Auto-merging test/functional/outputs/syslog/forward_to_syslog_test.go
CONFLICT (content): Merge conflict in test/functional/outputs/syslog/forward_to_syslog_test.go
Auto-merging internal/generator/vector/output/syslog/syslog_test.go
CONFLICT (content): Merge conflict in internal/generator/vector/output/syslog/syslog_test.go
Auto-merging internal/generator/vector/output/syslog/syslog.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 LOG-6236: Align syslog output implementation with spec RFC3164 and RFC5124

In response to this:

/cherry-pick release-6.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@vparfonov vparfonov mentioned this pull request Dec 13, 2024
Merged
@vparfonov vparfonov mentioned this pull request Feb 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kattz-kawa kattz-kawa kattz-kawa left review comments

@jcantrill jcantrill Awaiting requested review from jcantrill

@alanconway alanconway Awaiting requested review from alanconway

Assignees

@alanconway alanconway

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. release/6.2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@vparfonov @openshift-ci-robot @cahartma @alanconway @openshift-cherrypick-robot @jcantrill @kattz-kawa