when acting as logserver with TLS (-S) and client-certificates are used for
authentication (-K), use the CN from the client's certificate as hostname.
A typical setup would use a dedicated, private C

when acting as logserver with TLS (-S) and client-certificates are used for
authentication (-K), use the CN from the client's certificate as hostname.
A typical setup would use a dedicated, private CA issuing certificates with
the hostname as CN to each host, and those use @tls://loghost as destination.
This setup allows encrypted, authenticated logging over untrusted networks
like the internet, now with correct hostnames in the logs - even with roaming
hosts and hosts behind NAT (including telling multiple hosts behind the same
NAT IP apart).
uses tls_peer_cert_common_name(), thus needs a recent libtls.
with & ok bluhm

show more ...

Move syslogd(8) TLS handshake callback from read to write handler.

syslogd should immediately detect that the incoming TLS handshake
is complete. The old logic detected it when the first log messag

Move syslogd(8) TLS handshake callback from read to write handler.

syslogd should immediately detect that the incoming TLS handshake
is complete. The old logic detected it when the first log message
over TLS was arriving. For now only a debug message is logged, but
the callback will be used to print the common name of the client
certificate in the future.

OK tb@

show more ...

Explicit TLS handshake with syslog client.

Add a new TLS handshake callback for incoming connections. This
will allow to inspect the client certificate later. For now only
print a debug message an

Explicit TLS handshake with syslog client.

Add a new TLS handshake callback for incoming connections. This
will allow to inspect the client certificate later. For now only
print a debug message and check it in regress.

with and OK henning@

show more ...

remove unused var

Prevent use after free of TLS context at syslogd(8) shutdown.

When splitting the event fields f_ev and f_bufev, disabling some
events was missed. Callbacks could happen after tls_free(). Call
buff

Prevent use after free of TLS context at syslogd(8) shutdown.

When splitting the event fields f_ev and f_bufev, disabling some
events was missed. Callbacks could happen after tls_free(). Call
bufferevent_disable() before f_bufev and struct filed are cleaned.
In some error cases f_bufev might be NULL, add a check before
cleanup.

OK tb@

show more ...

syslogd(8) counts dropped UDP packets.

Now that syslogd handles delayed DNS lookups, also count dropped
packets to UDP loghosts. Although not every outgoing UDP packet
dropped along the path can be

syslogd(8) counts dropped UDP packets.

Now that syslogd handles delayed DNS lookups, also count dropped
packets to UDP loghosts. Although not every outgoing UDP packet
dropped along the path can be detected, the message makes the admin
aware that there is a local blind spot during startup.
Improve debug and log messages, especially if UDP logging is shut
down permanently. Also do not print 'last message repeated' if the
message was dropped.

OK deraadt@

show more ...

Retry DNS lookup for remote loghost.

If DNS lookup for a remote loghost configured in syslog.conf did
not work at startup, the entry was ignored. Better retry the lookup
in intervals until it succe

Retry DNS lookup for remote loghost.

If DNS lookup for a remote loghost configured in syslog.conf did
not work at startup, the entry was ignored. Better retry the lookup
in intervals until it succeeds. Improve debug output to print IP
address after resolution. Unify retry code that resolves DNS for
UDP and connects to TCP server.

testing and feedback from Paul de Weerd; OK deraadt@

show more ...

When syslogd is sending messages via UDP to a remote loghost, it
stops if there is a permanent error. Add EACCES generated by pf
to the list of transient errors. This restores pre-6.5 behavior
and

When syslogd is sending messages via UDP to a remote loghost, it
stops if there is a permanent error. Add EACCES generated by pf
to the list of transient errors. This restores pre-6.5 behavior
and continues logging after pf.conf has been fixed.
OK millert@ deraadt@ mvs@

show more ...

spelling fixes; from paul tagliamonte
any parts of his diff not taken are noted on tech

OpenBSD syslogd(8) escapes binary data with vis(3). Use the
VIS_NOSLASH option to avoid additional backslashes. Although this
option prevents to decode binaries, it makes automatic post processing

OpenBSD syslogd(8) escapes binary data with vis(3). Use the
VIS_NOSLASH option to avoid additional backslashes. Although this
option prevents to decode binaries, it makes automatic post processing
easier. Formats like JSON use backslash escaping themself, additional
escaping from syslogd would break SIEM systems. vis protection was
introduced to avoid evil characters in log files and not to make
binary logging possible.
from Matthias Pitzl; OK deraadt@

show more ...

Variable pri is uninitialized, use msg.m_pri instead. This affects
the priority of userland messages with kernel or unspecified facility.
broken in previous commit; fix from markus@

Move parsing of incoming syslog messages to their own section.
This should make it more manageable.

No functional change intended, debugging output slightly changed.

help from and OK bluhm@

When sending via UDP, syslogd(8) can use iovec with sendmsg(2)
instead of copying the strings with snprintf(3).
OK martijn@

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which mig

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

show more ...

The LocalDomain in syslogd(8) is not used, remove variable.
Use RFC 5424 NILVALUE as fallback for LocalHostName.
OK millert@ mvs@

When writing a message, syslogd did a combination of putting
everything into an iov and do some sprintf() formating later. Better
put everything into the iov upfront based on what the output methods

When writing a message, syslogd did a combination of putting
everything into an iov and do some sprintf() formating later. Better
put everything into the iov upfront based on what the output methods
need. Then either the full iov is written or a line is created by
concatenating.
OK martijn@

show more ...

Make sure that strings passed to printline() are always NUL terminated.
There was a corner case with a very long message received over TCP
or TLS where this was not clear. Force a '\0' where this li

Make sure that strings passed to printline() are always NUL terminated.
There was a corner case with a very long message received over TCP
or TLS where this was not clear. Force a '\0' where this line is
truncated.
OK martijn@ deraadt@

show more ...

Use a define for the iov array size in syslogd. This is better
than passing the magic number 6 around and checking at runtime
whether its fits.
OK deraadt@ martijn@ mvs@

Remove unneeded calls to tls_init(3)

As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically

Remove unneeded calls to tls_init(3)

As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.

Remove explicit tls_init() calls from base to not give the impression of
it being needed.

Feedback tb
OK Tests mestre

show more ...

Early daemons like dhcpleased(8), slaacd(8), unwind(8), resolvd(8)
are started before syslogd(8). This resulted in ugly sendsyslog(2)
dropped logs and the real message was lost.
Create a temporary s

Early daemons like dhcpleased(8), slaacd(8), unwind(8), resolvd(8)
are started before syslogd(8). This resulted in ugly sendsyslog(2)
dropped logs and the real message was lost.
Create a temporary stash for log messages within the kernel. It
has a limited size of 100 messages, and each message is truncated
to 8192 bytes. When the stash is exhausted, the well-known dropped
message is generated with a counter. After syslogd(8) has setup
everything, it sends a debug line through libc to flush the kernel
stash. Then syslogd receives all messages from the kernel before
the usual logs.
OK deraadt@ visa@

show more ...

Established TCP and TLS sockets of syslogd did stay open forever
if a client aborted the connection silently. As syslogd does not
write anything into incoming connections, it will not recognize
fail

Established TCP and TLS sockets of syslogd did stay open forever
if a client aborted the connection silently. As syslogd does not
write anything into incoming connections, it will not recognize
failure. Setting TCP keep alive on the listen socket does prevent
that for accecpted sockets. Note that outgoing connections do not
need it as syslogd will write data into them.
noticed by dhill@; OK millert@ beck@ deraadt@

show more ...

When DNS lookup of an UDP loghost failed, syslogd(8) did close the
UDP sockets for sending messages. Keep the sockets open if the
config allows to send UDP. Then they can be used to send if DNS
is

When DNS lookup of an UDP loghost failed, syslogd(8) did close the
UDP sockets for sending messages. Keep the sockets open if the
config allows to send UDP. Then they can be used to send if DNS
is working during the next SIGHUP.
bug reported and fix tested by sven falempin; OK millert@

show more ...

When syslogd(8) parent process terminates, the file cleanup code
did not work anymore. unveil(2) prevented removal. Cleaning the
UNIX domain sockets is not necessary. They are harmless and unlinke

When syslogd(8) parent process terminates, the file cleanup code
did not work anymore. unveil(2) prevented removal. Cleaning the
UNIX domain sockets is not necessary. They are harmless and unlinked
before a new bind. So delete that functionality and convert global
to local variables. Providing /var/run/syslog.pid is a common
feature that should be kept. A stale pid file is confusing. So
add a constant path to unveil(2) to allow pid file removal.
OK deraadt@

show more ...

React properly to the very unlikely cases where snprintf(3) may
fail. Log the message without formating, that is the best syslogd(8)
can do.
OK deraadt@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...