[Syslog-ng-maintainers] Bug#725668: syslog-ng: Space in ident ends up in msg instead of the program macro

[Gergely Nagy]

Control: found -1 3.5.1-1

Allan Wind <allan_wind at lifeintegrity.com> writes:

> If ident contains space (like fail2ban does) then the space and the ':' 
> separator ends up in msg.  Configured syslog-ng with the following:
>
> template tagged {
>         template("r_isodate=$R_ISODATE host=$HOST program=$PROGRAM pid=$PID msg=$MSG\n");
> };
> destination debug {
>         file("/tmp/syslog-ng.log" frac_digits(3) template(tagged));
> };
> log {
>         source(input);
>         destination(debug);
> };
>
> and logging an ident with space:
>
> allan at pawan:~$ logger --tag 'test ' msg
>
> results in this log event:
>
> r_isodate=2013-10-07T03:09:46.652-04:00 host=pawan program=test pid= 
> msg=: msg
>
> where I expected program = 'test ' and msg='msg' (no quotes).

Unfortunately, the BSD syslog protocol is weird and not exactly clear.
The RFC (3164) says this:

 "Most commonly, the first character of the CONTENT field that signifies
 the conclusion of the TAG field has been seen to be the left square
 bracket character ("["), a colon character (":"), or a space character.
 This is explained in more detail in Section 5.3."

In practice, if we ignored whitespace between ":" and the program name,
we may break other, legacy applications. I would rather suggest fixing
fail2ban to not send a space.

I tried to take a look at the fail2ban sources, but couldn't find where
it puts the space into the message. Can you perhaps send me a sample?

-- 
|8]