FreeBSD 12 Log Format
Matt Churchyard
matt.churchyard at userve.net
Thu Dec 20 11:37:33 UTC 2018
Hello,
I'm having some strange issues with the log format on one (only one of two...) of my FreeBSD 12 installs.
Both of these were upgraded from a previous version as I had an older installer available, but are pretty much stock.
However, one of these is logging in a new format (I see references around the commits to the inclusion of an rfc5424 format which seems to look very similar to what I'm seeing)
Dec 17 15:27:46 ftp 1 2018-12-17T15:27:46.576942+00:00 host.name.fqdn pkg-static 75241 - - pkg-1.10.5_5 installed
As far as I'm aware, it shouldn't be doing this unless I specifically choose to change the syslog format via rc.conf?
I really don't know what's going on as some logs such as maillog are still in the original format. It's not really a problem for me, I just can't understand why I'm seeing this on one server, but not another.
The forum link below is mine, but there's also a GitHub issue regarding base ssh logs seeing the same problem. (It was actually trying to configure fail2ban that got me looking at this in the first place)
https://forums.freebsd.org/threads/freebsd-12-log-format-fail2ban-not-matching.68806/#post-410670
https://github.com/fail2ban/fail2ban/issues/2309
Just as another note, I started writing a fail2ban regex for this using the 5424 rfc, and as far as I can see there's a non-optional (at least I can't see mention of optional in the spec)** PRI value which should be before this version number, which doesn't appear to be there. Also of course the timestamp and hostname is duplicated at the start, although I believe that was kept on purpose.
** "The PRI part MUST have three, four, or five characters and will be bound with angle brackets as the first and last characters."
Regards,
Matt Churchyard
More information about the freebsd-questions
mailing list