First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Syslog RFC5424 MSGID and MSG not split

Hi All! Currently I'm implementing a syslog client which I'm debugging using Wireshark. The messages I'm intending to send shall conform to RFC5424. It seems, that Wireshark recognizes almost all parts of my messages, except the message itself. It decodes MSGID as expected but assigned it all remaining data. According to RFC5424 MSGID is followed by SP STRUCTURED-DATA [SP MSG]. So I would expect, that at lest the SP after MSGID shall be easily identifiable. Is there any reason why thats not done or is my message faulty? (My MSGID is just some ASCII characters conforming to PRINTUSASCII.) Thank You! Pauliman

Pauliman's avatar
1
Pauliman
asked 2023-02-22 17:17:58 +0000
edit flag offensive 0 remove flag close merge delete

Comments

There are two capture files attached to 15607: Syslog dissector processes the UTF-8 BOM incorrectly
Can you confirm same behavior with those and if so we'll use them for discussion and potential changes.

Chuckc's avatar Chuckc (2023-02-22 18:39:50 +0000) edit
more
  • delete

Yes, syslog_old_new2.pcap shows in the second packet the question I raised: in the raw data, MSGID is just NILVALUE ('-'), but the dissector says "- - pam"[...].

Pauliman's avatar Pauliman (2023-02-22 22:53:16 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

This is worthy of a bug/Enhancement request on the Wireshark Gitlab issues.

rfc3164:

The full format of a syslog message seen on the wire has three discernable parts. The first part is called the PRI, the second part is the HEADER, and the third part is the MSG.

rfc5424:

      SYSLOG-MSG      = HEADER SP STRUCTURED-DATA [SP MSG]

      HEADER          = PRI VERSION SP TIMESTAMP SP HOSTNAME
                        SP APP-NAME SP PROCID SP MSGID

There should be a field for header - see (Wireshark dfref - syslog).

In the decode below, version, timestamp, hostname, app-name, procid and msgid are all lumped into syslog.msg. They belong in the non-existent syslog.header field.
And per RFC5424, since the STRUCTURED-DATA field is nil (-), everything after the space following it should go into the syslog.msg field.

Frame 2: 160 bytes on wire (1280 bits), 160 bytes captured (1280 bits) on interface unknown, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.3
User Datagram Protocol, Src Port: 40175, Dst Port: 514
Syslog message: AUTHPRIV.INFO: 1 2019-03-18T15:15:38.467246+01:00 uhei-t-ntr001 sudo - - -  pam_unix(sudo:session): session closed for user root\n
    0101 0... = Facility: AUTHPRIV - security/authorization messages (private) (10)
    .... .110 = Level: INFO - informational (6)
    Message: 1 2019-03-18T15:15:38.467246+01:00 uhei-t-ntr001 sudo - - -  pam_unix(sudo:session): session closed for user root\n
        Syslog version: 1
        Syslog timestamp: Mar 18, 2019 14:15:38.467246000 UTC
        Syslog hostname: uhei-t-ntr001
        Syslog app name: sudo
        Syslog process id: -
        Syslog message id: - -  pam_unix(sudo:session): session closed for user root\n

        Syslog message id: - -  pam_unix(sudo:session): session closed for user root\n

Should be:

        Syslog message id: -
    Structured Data: -
    Message: pam_unix(sudo:session): session closed for user root\n
Chuckc's avatar
3k
Chuckc
answered 2023-02-23 01:28:34 +0000
edit flag offensive 0 remove flag delete link
more

Comments

FYI: and then there is the #$@!$@#$$@ Cisco syslog format that claims

Note The syslog format is compatible with 4.3 BSD UNIX.


Which is not that same as being compliant with rfc3164 - The BSD syslog Protocol

Chuckc's avatar Chuckc (2023-02-23 01:38:36 +0000) edit
more
  • delete

As of 11.12.2023, this is still not fixed. I searched for ticket containing"syslog", and saw there are 5 entries that are unrelated.

louled2's avatar louled2 (2023-12-11 16:14:45 +0000) edit
more
  • delete

See https://gitlab.com/wireshark/wireshar...

louled2's avatar louled2 (2023-12-13 09:00:41 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer