Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-5185

Default app-name value of Syslog handler in Audit Logging violates specification

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.1.0.DR2
    • 7.0.0.GA, 7.0.1.CR2
    • Management
    • None
    • Hide

      1. Configure Audit Logging to log into (local) rsyslog and start server

      <audit-log>
            <formatters>
                <json-formatter name="json-formatter"/>
            </formatters>
            <handlers>
                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
                <syslog-handler name="syslog-handler" formatter="json-formatter">
                    <udp host="127.0.0.1" port="514"/>
                </syslog-handler>
            </handlers>
            <logger log-boot="true" log-read-only="false" enabled="true">
                <handlers>
                    <handler name="file"/>
                    <handler name="syslog-handler"/>
                </handlers>
            </logger>
</audit-log>

      2. Look into /var/log/messages file
      Note: the brackets must be escaped, JIRA doesn't allow me to stress it. Brackets [, ] used in grep command should be always preceded by a backslash
      sudo grep "JBoss[EAP]" /var/log/messages - there should be a few occurrences
      sudo grep "JBossEAP[" /var/log/messages - there should be no occurences

      3. Stop server, change configuration to use app-name without space character and start it again

      <audit-log>
            <formatters>
                <json-formatter name="json-formatter"/>
            </formatters>
            <handlers>
                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
                <syslog-handler name="syslog-handler" formatter="json-formatter" app-name="JBossEAP">
                    <udp host="127.0.0.1" port="514"/>
                </syslog-handler>
            </handlers>
            <logger log-boot="true" log-read-only="false" enabled="true">
                <handlers>
                    <handler name="file"/>
                    <handler name="syslog-handler"/>
                </handlers>
            </logger>
</audit-log>

      4. Look into /var/log/messages file again
      Note: the brackets must be escaped, JIRA doesn't allow me to stress it. Bracket [ used in grep command should be always preceded by a backslash
      sudo grep "JBossEAP[" /var/log/messages - there should be a few occurrences (that contains PID) now

      Show
      1. Configure Audit Logging to log into (local) rsyslog and start server <audit-log> <formatters> <json-formatter name= "json-formatter" /> </formatters> <handlers> <file-handler name= "file" formatter= "json-formatter" path= "audit-log.log" relative-to= "jboss.server.data.dir" /> <syslog-handler name= "syslog-handler" formatter= "json-formatter" > <udp host= "127.0.0.1" port= "514" /> </syslog-handler> </handlers> <logger log-boot= " true " log-read-only= " false " enabled= " true " > <handlers> <handler name= "file" /> <handler name= "syslog-handler" /> </handlers> </logger> </audit-log> 2. Look into /var/log/messages file Note: the brackets must be escaped, JIRA doesn't allow me to stress it. Brackets [, ] used in grep command should be always preceded by a backslash sudo grep "JBoss[EAP]" /var/log/messages - there should be a few occurrences sudo grep "JBossEAP[" /var/log/messages - there should be no occurences 3. Stop server, change configuration to use app-name without space character and start it again <audit-log> <formatters> <json-formatter name= "json-formatter" /> </formatters> <handlers> <file-handler name= "file" formatter= "json-formatter" path= "audit-log.log" relative-to= "jboss.server.data.dir" /> <syslog-handler name= "syslog-handler" formatter= "json-formatter" app-name= "JBossEAP" > <udp host= "127.0.0.1" port= "514" /> </syslog-handler> </handlers> <logger log-boot= " true " log-read-only= " false " enabled= " true " > <handlers> <handler name= "file" /> <handler name= "syslog-handler" /> </handlers> </logger> </audit-log> 4. Look into /var/log/messages file again Note: the brackets must be escaped, JIRA doesn't allow me to stress it. Bracket [ used in grep command should be always preceded by a backslash sudo grep "JBossEAP[" /var/log/messages - there should be a few occurrences (that contains PID) now

      According to syslog specification[1] app-name cannot contain space character (" "). However, the default value in EAP 7 is JBoss EAP. This results in the syslog server is not able to capture Process ID from which the message was sent.
      E.g. following piece of information is captured JBoss[EAP] (...) instead of JBossEAP[795]

      Suggestions for improvement:
      Change default value JBoss EAP to one without space character.
      Also please consider addition of check whether app-name contains space character.

      [1] https://tools.ietf.org/html/rfc5424#page-8

            kwills@redhat.com Ken Wills
            jtymel Jan Tymel (Inactive)
            Jan Tymel Jan Tymel (Inactive)
            Jan Tymel Jan Tymel (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: