On Thu, Apr 28, 2022 at 1:26 PM Ulrich Windl <Ulrich.Windl@xxxxxxxxxxxxxxxxxxxx> wrote:
>>> Lennart Poettering <lennart@xxxxxxxxxxxxxx> schrieb am 28.04.2022 um 10:27
in
Nachricht <YmpQCYN0Y/gxlzGU@gardel-login>:
> On Do, 28.04.22 09:32, Ulrich Windl (Ulrich.Windl@xxxxxx‑regensburg.de)
wrote:
>
>> Actually I wasn't quite sure about the default config in SLES12.
>> It seems the flow is journald ‑> local rsyslogd ‑> remote syslogd
>>
>> > rsyslogd already knows if messages are UTF‑8 because the system's $LANG
>> > (well, nl_langinfo) says so. And if rsyslog can't trust that for some
>> > reason (e.g. because a user might have a different locale), then
>> > systemd‑journald won't be able to trust it either, so it won't know
whether
>> > it could add the BOM.
>>
>> How could a remote syslog server know what the locale on the sending
system
>> is?
>
> Your local rsyslogd could add the BOM when it transforms journal
> messages to syslog datagrams.
>
>> > RFC 3164 over the network to a remote server? Outside the scope for
>> > systemd, since it doesn't generate the network packets; your local
rsyslogd
>> > forwarder does. (Also, why RFC 3164 and not 5425?)
>>
>> If you look outside the world of systemd, about 99% of systems create the
> RFC
>> 3164 type of messages.
>
> That's a wild claim, and simply wrong actually.
Well actually as systemd cannot send syslog messages to remote, which systems
do you know that send RFC 5424 messages?
Actually I know none here.
syslog-ng does with destination{syslog()}, rsyslogd does with RSYSLOG_SyslogProtocol23Format; the HP switches at $WORK (and I think the Cisco ones) didn't even have BSD-format as an option, always producing 5424-format.
>
> systemd is focussed on reality: we generate and process the same
> format glibc generates.
I'm wondering which API all those programs use that create correct syslog
entries.
It's not that they create correct syslog entries, it's that the syslogd (well, the /dev/log listener, so including journald) *parses and rebuilds* the entries that come from the API before storing them anywhere.
Whether you use rsyslog or syslog-ng, they don't just dump program-provided data to /var/log – they both parse the input into date + hostname + pid + message, then reformat according to whatever output format is specified. (For example, we have syslog-ng configured to write RFC3339 timestamps.) Journald also does the same by design.
--
Mantas Mikulėnas
