[ZBX-7562] Zabbix' syslog messages do not conform to RFC-5424 Created: 2013 Dec 18  Updated: 2017 May 30  Resolved: 2013 Dec 19

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G), Server (S)
Affects Version/s: 2.0.8
Fix Version/s: None

Type: Incident report Priority: Minor
Reporter: Remko Catersels Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: agent, server, syslog
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

FreeBSD 9.2

Issue Links:
Duplicate
duplicates ZBX-4243 Change syslog tag not to contain a space Closed

 Description   

If LogFile is not defined Zabbix (Agent and Server) will log it's messages to syslog. However, because the messages do not conform to RFC-5424 it is next to impossible to aggragate syslogs to a central server. Syslog-ng for example assumes the message comes from a host named "Zabbix" because the syslog messages are missing the real hostname and the string "Zabbix" from "Zabbix agent (daemon)[pid]" is used instead.

 Comments   
Comment by Remko Catersels [ 2013 Dec 18 ]

A message like this:
Dec 18 14:45:36 Zabbix Agent (daemon)[74333]: agent #3 started [listener]

Should really be send like this:
Dec 18 14:45:36 host.name zabbix_agentd[74333]: agent #3 started [listener]

Comment by Marc [ 2013 Dec 18 ]

see ZBX-4243

Comment by Remko Catersels [ 2013 Dec 18 ]

Bugger, I had searched for similar reports but did not find anything. Anyway, ZBX-4243 is exactly the issue I have. This one can be closed as duplicate.

Comment by richlv [ 2013 Dec 18 ]

hmm, that issue does not seem to do anything specific regarding hostname - shouldn't that be handled at a lower level ?

Comment by Remko Catersels [ 2013 Dec 18 ]

I'm not sure how exactly Zabbix sends syslog messages. But it's possible the local syslog simply assumes "Zabbix" is the hostname. This doesn't matter much locally but if syslog is forwarded to a central server all logging ends up as originating from "Zabbix" instead of the actual hostname.

As for the fix mentioned in ZBX-4243, is there any chance it could make it's way into 2.0.x?

Comment by richlv [ 2013 Dec 18 ]

As for the fix mentioned in ZBX-4243, is there any chance it could make it's way into 2.0.x?

highly unlikely. not even in 2.2 - lately we try not to introduce any significant changes in stable branches

Comment by Andris Mednis [ 2013 Dec 19 ]

The fix for ZBX-4243 was very simple. It was applied only to trunk, but technically it should be easy to fix other supported versions, too. We are looking into it.

Comment by Remko Catersels [ 2013 Dec 19 ]

I don't think this constitutes as a significant change. Only the application name changes in the logging and there's no significant change in the way Zabbix itself operates. Some of the patches from 2.0.8 to 2.0.9 and 2.0.10 seem to have bigger impacts. I do need to update to 2.0.10 some time soon but with the Christmas/new-years holidays coming up it's probably going to be early next year before I'm able to. I'd be more than happy if the fix is added to 2.0.11.

Comment by Andris Mednis [ 2013 Dec 19 ]

It was decided that the fix ZBX-4243 should be implemented in all supported Zabbix versions: 1.8, 2.0, 2.2 to conform to RFC-5424.

Comment by richlv [ 2013 Dec 19 ]

as noted, syslog tag fix will be also included in older versions - closing this one as duplicate.

as for the hostname, it seems to be the responsibility of syslog software. http://www.lv.freebsd.org/doc/handbook/configtuning-syslog.html says "...in the case of remote logging, also the hostname of the machine generating the logging event"

and a quick test on linux with syslogd confirms that hostname is logged for zabbix daemon messages

Generated at Wed Apr 30 06:57:38 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.