Logstash syslog output plugin not setting facility correctly

[fragatina]

Using this plugin to send some logs to a remote host.

Configuration in logstash related with this plugin is as follows:
output {
syslog {
host => "10.0.0.25"
port => "514"
protocol => "udp"
facility => "local5"
severity => "debug"
}
}

Then on the remote rsyslog server I've noticed that the logs are send with severity 3.
If I want them to be send to remote server as local5 then I need to configure logstash with facility == "local7". This is not scalable since if we want to send to the remote host as facility 'local7', then it's not clear which value to use in the config.

This behavior is seen in logstash 5.2. This was not happening in logstash 1.5.6.

[MrWolf1978]

There are 2 facilities missing in FACILITY_LABELS array you are using as index.
You can take the full list here: https://tools.ietf.org/html/rfc3164#section-4.1.1
Basically 10 and 15, even if contains note, without these you are badly shifting the others.

[fooka03]

Still running into this issue with logstash 6.2. Workaround for getting to local5 was set facility to local7. We need to send things to local6 normally so I'll be using the priority field instead.

[rxp1997]

2nd request to address this bug... as MrWolf1978 details, FACILITY_LABELS is missing two entries... Running logstash-output-syslog (3.0.5)

in /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:

FACILITY_LABELS = [
"kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "ftp", "ntp", "log audit", "log alert",
"local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7",
]

there should be a setting between clock & ftp, and log alert & local0.

[icalvete]

logstash 6.4.0
logstash-output-syslog (3.0.5)

output {
  syslog {
    host => "10.0.0.22"
    port => 5514
    facility => "local4"
    severity => "info"
    protocol => "tcp"
  }
  stdout { codec => rubydebug }
}

I get..

local2.notice

[usp-tme]

As @rxp1997 and @MrWolf1978 already stated, there are two entries missing in the array FACILITY_LABELS. The problem was introduced by this commit, supposedly to remove duplicate values. The point is, those values are not duplicates. See:

• https://tools.ietf.org/html/rfc3164#section-4.1.1
• https://tools.ietf.org/html/rfc5424#section-6.2.1

Reverting above mentioned commit would fix the problem for non-duplicate
facilities (ex. 'local0', etc.), but, due to the nature of the implementation,
erroneous priority values would be reported for the two duplicate facilities ('clock' and 'security/authorization').

The only option I see to remedy the situation would be to use integer values for the 'facility' config setting, but that's currently not supported.

@suyograo, what's your take on this?

[Shaoranlaos]

the simplest solution to this (i think) is to append a string to these duplicated values
e.g. clock2, security2 or clock15,security10
because the short names are not realy defined anywhere (in offical documentation) so every person that would like to use these must always come to the source code

[MrWolf1978]

@Shaoranlaos, yes i can confirm.
Basically i modified syslog.rb, adding two records in FACILITY_LABELS
"secauth2" between "clock" and "ftp",
"clock2" between "log alert" and "local0".

I'm using this workaround since Oct 2017, and it's working fine.
The only downside is remember to patch the file every update.

[ristov]

This issue is still present in syslog output plugin. For example, if "local0" facility (code 16) is specified in the configuration, the plugin mistakenly uses facility of "console" (code 14), "local1" (code 17) gets mistakenly replaced with "solaris-cron" (code 15), "local2" (code 18) is replaced with "local0" (code 16), etc.