Add newsyslog capability to write RFC5424 compliant rotation message.

This modification adds the capability to newsyslog to write the
rotation message in a format that is compliant with RFC5424. This
capability is enabled on a per-log file basis through a new value
("T") in the flags field in newsyslog.conf. This is useful on systems
that use the RFC5424 format for log files so that the rotation message
format matches that of the other log messages. There has been recent
mention of adding an RFC5424 compliant mode to syslogd and at least
one alternative system log daemon (rsyslogd) that already has the
capability to use that format.

Reviewed by:	vangyzen, ngie
Approved by:	vangyzen (mentor)
MFC after:	2 months
Relnotes:	yes
Sponsored by:	Dell EMC
Differential Revision:	https://reviews.freebsd.org/D10253

usr.sbin/newsyslog/extern.h

@@ -60,6 +60,8 @@ int		 ptime_free(struct ptime_data *_ptime);
 int		 ptime_relparse(struct ptime_data *_ptime, int _parseopts,
 		    time_t _basetime, const char *_str);
 const char	*ptimeget_ctime(const struct ptime_data *_ptime);
+char		*ptimeget_ctime_rfc5424(const struct ptime_data *_ptime,
+		    char *timebuf, size_t bufsize);
 double		 ptimeget_diff(const struct ptime_data *_minuend,
 		    const struct ptime_data *_subtrahend);
 time_t		 ptimeget_secs(const struct ptime_data *_ptime);

usr.sbin/newsyslog/newsyslog.8

@@ -17,7 +17,7 @@
 .\" the suitability of this software for any purpose.  It is
 .\" provided "as is" without express or implied warranty.
 .\"
-.Dd April 15, 2017
+.Dd May 19, 2017
 .Dt NEWSYSLOG 8
 .Os
 .Sh NAME
@@ -125,7 +125,8 @@ reasons for either trimming that log or skipping it.
 Cause
 .Nm
 not to trim the logs, but to print out what it would do if this option
-were not specified. This option implies the
+were not specified.
+This option implies the
 .Fl r
 option.
 .It Fl r

usr.sbin/newsyslog/newsyslog.c

@@ -79,6 +79,7 @@ __FBSDID("$FreeBSD$");
 #include <libgen.h>
 #include <stdlib.h>
 #include <string.h>
+#include <syslog.h>
 #include <time.h>
 #include <unistd.h>
 
@@ -132,6 +133,8 @@ __FBSDID("$FreeBSD$");
 #define	CE_NODUMP	0x0200	/* Set 'nodump' on newly created log file. */
 #define	CE_PID2CMD	0x0400	/* Replace PID file with a shell command.*/
 
+#define	CE_RFC5424	0x0800	/* Use RFC5424 format rotation message */
+
 #define	MIN_PID         5	/* Don't touch pids lower than this */
 #define	MAX_PID		99999	/* was lower, see /usr/include/sys/proc.h */
 
@@ -247,6 +250,15 @@ static struct ptime_data *timenow; /* The time to use for checking at-fields */
 #define	DAYTIME_LEN	16
 static char daytime[DAYTIME_LEN];/* The current time in human readable form,
 				  * used for rotation-tracking messages. */
+
+/* Another buffer to hold the current time in RFC5424 format. Fractional
+ * seconds are allowed by the RFC, but are not included in the
+ * rotation-tracking messages written by newsyslog and so are not accounted for
+ * in the length below.
+ */
+#define	DAYTIME_RFC5424_LEN	sizeof("YYYY-MM-DDTHH:MM:SS+00:00")
+static char daytime_rfc5424[DAYTIME_RFC5424_LEN];
+
 static char hostname[MAXHOSTNAMELEN]; /* hostname */
 
 static const char *path_syslogpid = _PATH_SYSLOGPID;
@@ -630,6 +642,7 @@ parse_args(int argc, char **argv)
 	timenow = ptime_init(NULL);
 	ptimeset_time(timenow, time(NULL));
 	strlcpy(daytime, ptimeget_ctime(timenow) + 4, DAYTIME_LEN);
+	ptimeget_ctime_rfc5424(timenow, daytime_rfc5424, DAYTIME_RFC5424_LEN);
 
 	/* Let's get our hostname */
 	(void)gethostname(hostname, sizeof(hostname));
@@ -1296,11 +1309,14 @@ parse_file(FILE *cf, struct cflist *work_p, struct cflist *glob_p,
 			case 'r':
 				working->flags |= CE_PID2CMD;
 				break;
+			case 't':
+				working->flags |= CE_RFC5424;
+				break;
 			case 'u':
 				working->flags |= CE_SIGNALGROUP;
 				break;
 			case 'w':
-				/* Depreciated flag - keep for compatibility purposes */
+				/* Deprecated flag - keep for compatibility purposes */
 				break;
 			case 'x':
 				working->compress = COMPRESS_XZ;
@@ -2101,7 +2117,7 @@ save_sigwork(const struct conf_entry *ent)
 
 	tmpsiz = sizeof(struct sigwork_entry) + strlen(ent->pid_cmd_file) + 1;
 	stmp = malloc(tmpsiz);
-	
+
 	stmp->sw_runcmd = 0;
 	/* If this is a command to run we just set the flag and run command */
 	if (ent->flags & CE_PID2CMD) {
@@ -2257,15 +2273,34 @@ log_trim(const char *logname, const struct conf_entry *log_ent)
 	xtra = "";
 	if (log_ent->def_cfg)
 		xtra = " using <default> rule";
-	if (log_ent->firstcreate)
-		fprintf(f, "%s %s newsyslog[%d]: logfile first created%s\n",
-		    daytime, hostname, (int) getpid(), xtra);
-	else if (log_ent->r_reason != NULL)
-		fprintf(f, "%s %s newsyslog[%d]: logfile turned over%s%s\n",
-		    daytime, hostname, (int) getpid(), log_ent->r_reason, xtra);
-	else
-		fprintf(f, "%s %s newsyslog[%d]: logfile turned over%s\n",
-		    daytime, hostname, (int) getpid(), xtra);
+	if (log_ent->flags & CE_RFC5424) {
+		if (log_ent->firstcreate) {
+			fprintf(f, "<%d>1 %s %s newsyslog %d - - %s%s\n",
+			    LOG_MAKEPRI(LOG_USER, LOG_INFO),
+			    daytime_rfc5424, hostname, getpid(),
+			    "logfile first created", xtra);
+		} else if (log_ent->r_reason != NULL) {
+			fprintf(f, "<%d>1 %s %s newsyslog %d - - %s%s%s\n",
+			    LOG_MAKEPRI(LOG_USER, LOG_INFO),
+			    daytime_rfc5424, hostname, getpid(),
+			    "logfile turned over", log_ent->r_reason, xtra);
+		} else {
+			fprintf(f, "<%d>1 %s %s newsyslog %d - - %s%s\n",
+			    LOG_MAKEPRI(LOG_USER, LOG_INFO),
+			    daytime_rfc5424, hostname, getpid(),
+			    "logfile turned over", xtra);
+		}
+	} else {
+		if (log_ent->firstcreate)
+			fprintf(f, "%s %s newsyslog[%d]: logfile first created%s\n",
+			    daytime, hostname, getpid(), xtra);
+		else if (log_ent->r_reason != NULL)
+			fprintf(f, "%s %s newsyslog[%d]: logfile turned over%s%s\n",
+			    daytime, hostname, getpid(), log_ent->r_reason, xtra);
+		else
+			fprintf(f, "%s %s newsyslog[%d]: logfile turned over%s\n",
+			    daytime, hostname, getpid(), xtra);
+	}
 	if (fclose(f) == EOF)
 		err(1, "log_trim: fclose");
 	return (0);

usr.sbin/newsyslog/newsyslog.conf.5

@@ -21,7 +21,7 @@
 .\" the suitability of this software for any purpose.  It is
 .\" provided "as is" without express or implied warranty.
 .\"
-.Dd April 15, 2017
+.Dd May 19, 2017
 .Dt NEWSYSLOG.CONF 5
 .Os
 .Sh NAME
@@ -242,7 +242,7 @@ rotate at the first day of every month at midnight
 (i.e., the start of the day; same as
 .Li @01T00 )
 .It Li $M5D6
-rotate on every 5th day of month at 6:00
+rotate on every fifth day of month at 6:00
 (same as
 .Li @05T06 )
 .El
@@ -319,6 +319,11 @@ will run shell command defined in
 .Ar path_to_pid_cmd_file
 after rotation instead of trying to send signal to a process id
 stored in the file.
+.It Cm T
+if this flag is set the informational rotation message written to
+the log file will be in the format specified by RFC5424.
+Normally, the rotation message is written in the traditional (RFC3164)
+syslog format.
 .It Cm U
 indicates that the file specified by
 .Ar path_to_pid_cmd_file
@@ -395,6 +400,17 @@ entry:
 .Xr chown 8 ,
 .Xr newsyslog 8 ,
 .Xr syslogd 8
+.Pp
+.Rs
+.%A C. Lonvick
+.%T The BSD syslog Protocol
+.%O RFC3164
+.Re
+.Rs
+.%A R. Gerhards
+.%T The Syslog Protocol
+.%O RFC5424
+.Re
 .Sh HISTORY
 This manual page first appeared in
 .Fx 4.10 .

usr.sbin/newsyslog/ptimes.c

@@ -478,6 +478,75 @@ ptimeget_ctime(const struct ptime_data *ptime)
 	return (ctime(&ptime->tsecs));
 }
 
+/*
+ * Generate a time of day string in an RFC5424 compatible format. Return a
+ * pointer to the buffer with the timestamp string or NULL if an error. If the
+ * time is not supplied, cannot be converted to local time, or the resulting
+ * string would overflow the buffer, the returned string will be the RFC5424
+ * NILVALUE.
+ */
+char *
+ptimeget_ctime_rfc5424(const struct ptime_data *ptime,
+    char *timebuf, size_t bufsize)
+{
+	static const char NILVALUE[] = {"-"};	/* RFC5424 specified NILVALUE */
+	int chars;
+	struct tm tm;
+	int tz_hours;
+	int tz_mins;
+	long tz_offset;
+	char tz_sign;
+
+	if (timebuf == NULL) {
+		return (NULL);
+	}
+
+	if (bufsize < sizeof(NILVALUE)) {
+		return (NULL);
+	}
+
+	/*
+	 * Convert to localtime. RFC5424 mandates the use of the NILVALUE if
+	 * the time cannot be obtained, so use that if there is an error in the
+	 * conversion.
+	 */
+	if (ptime == NULL || localtime_r(&(ptime->tsecs), &tm) == NULL) {
+		strlcpy(timebuf, NILVALUE, bufsize);
+		return (timebuf);
+	}
+
+	/*
+	 * Convert the time to a string in RFC5424 format. The conversion
+	 * cannot be done with strftime() because it cannot produce the correct
+	 * timezone offset format.
+	 */
+	if (tm.tm_gmtoff < 0) {
+		tz_sign = '-';
+		tz_offset = -tm.tm_gmtoff;
+	} else {
+		tz_sign = '+';
+		tz_offset = tm.tm_gmtoff;
+	}
+
+	tz_hours = tz_offset / 3600;
+	tz_mins = (tz_offset % 3600) / 60;
+
+	chars = snprintf(timebuf, bufsize,
+	    "%04d-%02d-%02d"	/* date */
+	    "T%02d:%02d:%02d"	/* time */
+	    "%c%02d:%02d",	/* time zone offset */
+	    tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
+	    tm.tm_hour, tm.tm_min, tm.tm_sec,
+	    tz_sign, tz_hours, tz_mins);
+
+	/* If the timestamp is too big for timebuf, return the NILVALUE. */
+	if (chars >= (int)bufsize) {
+		strlcpy(timebuf, NILVALUE, bufsize);
+	}
+
+	return (timebuf);
+}
+
 double
 ptimeget_diff(const struct ptime_data *minuend, const struct
     ptime_data *subtrahend)

usr.sbin/newsyslog/tests/legacy_test.sh

@@ -2,6 +2,15 @@
 
 # $FreeBSD$
 
+# A regular expression matching the format of an RFC-5424 log line header,
+# including the timestamp up through the seconds indicator; it does not include
+# the (optional) timezone offset.
+RFC5424_FMT='^<[0-9][0-9]*>1 [0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}'
+
+# A regular expression matching the format of an RFC-3164 (traditional syslog)
+# log line header, including the timestamp.
+RFC3164_FMT='^[A-Z][a-z]{2} [ 0-9][0-9] [0-9]{2}:[0-9]{2}:[0-9]{2}'
+
 COUNT=0
 TMPDIR=$(pwd)/work
 if [ $? -ne 0 ]; then
@@ -98,6 +107,32 @@ ckntfe()
 	fi
 }
 
+# Verify that the specified file has RFC-5424 rotation messages.
+ckrfc5424()
+{
+	local lc=$(wc -l $1 | cut -w -f2)
+	local rc=$(grep -cE "${RFC5424_FMT}" $1)
+	if [ "$lc" -eq 0 -o "$rc" -eq 0 -o "$lc" -ne "$rc" ]
+	then
+		notok
+	else
+		ok
+	fi
+}
+
+
+# Verify that the specified file has RFC-3164 rotation messages.
+ckrfc3164()
+{
+	local lc=$(wc -l $1 | cut -w -f2)
+	local rc=$(grep -cE "${RFC3164_FMT}" $1)
+	if [ "$lc" -eq 0 -o "$rc" -eq 0 -o "$lc" -ne "$rc" ]
+	then
+		notok
+	else
+		ok
+	fi
+}
 
 
 # A part of a test succeeds
@@ -381,6 +416,45 @@ tests_time_rotate() {
 	tmpdir_clean
 }
 
+tests_rfc5424() {
+	ext="$1"
+	dir="$2"
+
+	if [ -n "$dir" ]; then
+		newsyslog_args=" -a ${dir}"
+		name_postfix="${ext} archive dir"
+	else
+		newsyslog_args=""
+		name_postfix="${ext}"
+	fi
+
+	tmpdir_create
+
+	begin "RFC-5424 - create file ${name_postfix}" -newdir
+	run_newsyslog -C
+	ckfe $LOGFNAME
+	cknt ${dir}${LOGFNAME}.0${ext}
+	ckfe $LOGFNAME5424
+	cknt ${dir}${LOGFNAME5424}.0${ext}
+        ckrfc3164 ${LOGFNAME}
+        ckrfc5424 ${LOGFNAME5424}
+	end
+
+	begin "RFC-5424 - rotate normal 1 ${name_postfix}"
+	run_newsyslog $newsyslog_args
+	ckfe ${LOGFNAME}
+	ckfe ${dir}${LOGFNAME}.0${ext}
+	ckfe $LOGFNAME5424
+	ckfe ${dir}${LOGFNAME5424}.0${ext}
+        ckrfc3164 ${LOGFNAME}
+        ckrfc3164 ${dir}${LOGFNAME}.0${ext}
+        ckrfc5424 ${LOGFNAME5424}
+        ckrfc5424 ${dir}${LOGFNAME5424}.0${ext}
+	end
+
+	tmpdir_clean
+}
+
 echo 1..126
 mkdir -p ${TMPDIR}
 cd ${TMPDIR}
@@ -388,6 +462,10 @@ cd ${TMPDIR}
 LOGFNAME=foo.log
 LOGFPATH=${TMPDIR}/log/${LOGFNAME}
 
+# Log file for RFC-5424 testing
+LOGFNAME5424=foo5424.log
+LOGFPATH5424=${TMPDIR}/log/${LOGFNAME5424}
+
 # Normal, no archive dir, keep X files
 echo "$LOGFPATH	640  0	   *	@T00  NC" > newsyslog.conf
 tests_normal_rotate_keepn 0
@@ -454,4 +532,9 @@ tests_time_rotate "gz" "${TMPDIR}/alog/"
 echo "$LOGFPATH	640  3	   *	@T00  NCJ" > newsyslog.conf
 tests_time_rotate "bz2" "${TMPDIR}/alog/"
 
+# RFC-5424; Normal, no archive dir
+echo "$LOGFPATH5424	640  3	   *	@T00  NCT" > newsyslog.conf
+echo "$LOGFPATH	640  3	   *	@T00  NC" >> newsyslog.conf
+tests_rfc5424
+
 rm -rf "${TMPDIR}"