Ask Your Question
0

Syslog RFC5424 MSGID and MSG not split

asked 2023-02-22 17:17:58 +0000

Pauliman gravatar image

Hi All! Currently I'm implementing a syslog client which I'm debugging using Wireshark. The messages I'm intending to send shall conform to RFC5424. It seems, that Wireshark recognizes almost all parts of my messages, except the message itself. It decodes MSGID as expected but assigned it all remaining data. According to RFC5424 MSGID is followed by SP STRUCTURED-DATA [SP MSG]. So I would expect, that at lest the SP after MSGID shall be easily identifiable. Is there any reason why thats not done or is my message faulty? (My MSGID is just some ASCII characters conforming to PRINTUSASCII.) Thank You! Pauliman

edit retag flag offensive close merge delete

Comments

There are two capture files attached to 15607: Syslog dissector processes the UTF-8 BOM incorrectly
Can you confirm same behavior with those and if so we'll use them for discussion and potential changes.

Chuckc gravatar imageChuckc ( 2023-02-22 18:39:50 +0000 )edit

Yes, syslog_old_new2.pcap shows in the second packet the question I raised: in the raw data, MSGID is just NILVALUE ('-'), but the dissector says "- - pam"[...].

Pauliman gravatar imagePauliman ( 2023-02-22 22:53:16 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-02-23 01:28:34 +0000

Chuckc gravatar image

This is worthy of a bug/Enhancement request on the Wireshark Gitlab issues.

rfc3164:

The full format of a syslog message seen on the wire has three discernable parts. The first part is called the PRI, the second part is the HEADER, and the third part is the MSG.

rfc5424:

      SYSLOG-MSG      = HEADER SP STRUCTURED-DATA [SP MSG]

      HEADER          = PRI VERSION SP TIMESTAMP SP HOSTNAME
                        SP APP-NAME SP PROCID SP MSGID

There should be a field for header - see (Wireshark dfref - syslog).

In the decode below, version, timestamp, hostname, app-name, procid and msgid are all lumped into syslog.msg. They belong in the non-existent syslog.header field.
And per RFC5424, since the STRUCTURED-DATA field is nil (-), everything after the space following it should go into the syslog.msg field.

Frame 2: 160 bytes on wire (1280 bits), 160 bytes captured (1280 bits) on interface unknown, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.3
User Datagram Protocol, Src Port: 40175, Dst Port: 514
Syslog message: AUTHPRIV.INFO: 1 2019-03-18T15:15:38.467246+01:00 uhei-t-ntr001 sudo - - -  pam_unix(sudo:session): session closed for user root\n
    0101 0... = Facility: AUTHPRIV - security/authorization messages (private) (10)
    .... .110 = Level: INFO - informational (6)
    Message: 1 2019-03-18T15:15:38.467246+01:00 uhei-t-ntr001 sudo - - -  pam_unix(sudo:session): session closed for user root\n
        Syslog version: 1
        Syslog timestamp: Mar 18, 2019 14:15:38.467246000 UTC
        Syslog hostname: uhei-t-ntr001
        Syslog app name: sudo
        Syslog process id: -
        Syslog message id: - -  pam_unix(sudo:session): session closed for user root\n

        Syslog message id: - -  pam_unix(sudo:session): session closed for user root\n

Should be:

        Syslog message id: -
    Structured Data: -
    Message: pam_unix(sudo:session): session closed for user root\n
edit flag offensive delete link more

Comments

FYI: and then there is the #$@!$@#$$@ Cisco syslog format that claims

Note The syslog format is compatible with 4.3 BSD UNIX.


Which is not that same as being compliant with rfc3164 - The BSD syslog Protocol

Chuckc gravatar imageChuckc ( 2023-02-23 01:38:36 +0000 )edit

As of 11.12.2023, this is still not fixed. I searched for ticket containing"syslog", and saw there are 5 entries that are unrelated.

louled2 gravatar imagelouled2 ( 2023-12-11 16:14:45 +0000 )edit

See https://gitlab.com/wireshark/wireshar...

louled2 gravatar imagelouled2 ( 2023-12-13 09:00:41 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-02-22 17:17:58 +0000

Seen: 526 times

Last updated: Feb 23 '23

Related questions

Splitting Syslog dissector message columns

Unable to receive logs from a device to our SIEM Syslog server via TCP 514

How to identify syslog protocol packet?

Dissector Syslog transmitted via relp protocol span multiple TCP packets