Merge pull request #1268 from kernelkit/syslog-matching

Syslog Enhancements

Author: troglobit

board/common/rootfs/etc/bash.bashrc

@@ -31,6 +31,8 @@ bind "set completion-ignore-case on"
 # show all completions immediately instead of ringing bell
 bind "set show-all-if-ambiguous on"
 
+export LANG=C.UTF-8
+
 log()
 {
     local fn="/var/log/syslog"

board/common/rootfs/etc/finit.conf

@@ -1,2 +1,3 @@
 set COLORTERM=yes
-rlimit soft core infinity
+set LANG=C.UTF-8
+rlimit soft core infinity

board/common/rootfs/etc/profile.d/convenience.sh

@@ -3,6 +3,7 @@ alias la='ls -A'
 alias ll='ls -alF'
 alias ls='ls --color=auto'
 
+export LANG=C.UTF-8
 export EDITOR=/usr/bin/edit
 export VISUAL=/usr/bin/edit
 export LESS="-P %f (press h for help or q to quit)"

doc/ChangeLog.md

@@ -48,6 +48,17 @@ All notable changes to the project are documented in this file.
 - Add CLI commands for managing boot partition order: `show boot-order` and
   `set boot-order` allow viewing and changing the boot order from the CLI,
   complementing the existing YANG RPC support, issue #1032
+- Extended syslog filtering capabilities, issue #1091:
+   - Add support for pattern matching using POSIX extended regular expressions
+     on message content (IETF `select-match` feature)
+   - Add support for advanced severity comparison: exact match (`equals`) and
+     exclusion (`block`/`stop`) in addition to the default equals-or-higher
+     (IETF `select-adv-compare` feature)
+   - Add support for hostname-based filtering, useful when acting as a log
+     server to route messages from different devices to separate log files
+   - Add support for property-based filtering with operators (contains, isequal,
+     startswith, regex, ereregex) on message properties (msg, msgid, programname,
+     hostname, source, data), with optional case-insensitive and negate modifiers
 
 ### Fixes
 

doc/syslog.md

@@ -191,8 +191,114 @@ admin@example:/>
 ```
 
 See the above [Log to File](#log-to-file) section on how to set up
-filtering of received logs to local files.  Please note, filtering based
-on property, e.g., hostname, is not supported yet.
+filtering of received logs to local files.  Advanced filtering based
+on hostname and message properties is also available, see the next
+section for details.
+
+## Advanced Filtering
+
+The syslog subsystem supports several advanced filtering options that
+allow fine-grained control over which messages are logged.  These can
+be combined with facility and severity filters to create sophisticated
+logging rules.
+
+### Pattern Matching
+
+Messages can be filtered using regular expressions (POSIX extended regex)
+on the message content.  This is useful when you want to log only messages
+containing specific keywords or patterns:
+
+```
+admin@example:/config/> edit syslog actions log-file file:errors
+admin@example:/config/syslog/…/file:errors/> set pattern-match "ERROR|CRITICAL|FATAL"
+admin@example:/config/syslog/…/file:errors/> set facility-list all severity info
+admin@example:/config/syslog/…/file:errors/> leave
+admin@example:/>
+```
+
+This will log all messages containing ERROR, CRITICAL, or FATAL.
+
+### Advanced Severity Comparison
+
+By default, severity filtering uses "equals-or-higher" comparison,
+meaning a severity of `error` will match error, critical, alert, and
+emergency messages.  You can change this behavior:
+
+```
+admin@example:/config/> edit syslog actions log-file file:daemon-errors
+admin@example:/config/syslog/…/file:daemon-errors/> set facility-list daemon
+admin@example:/config/syslog/…/daemon/> set severity error
+admin@example:/config/syslog/…/daemon/> set advanced-compare compare equals
+admin@example:/config/syslog/…/daemon/> leave
+admin@example:/>
+```
+
+This will log only `error` severity messages, not higher severities.
+
+You can also block specific severities:
+
+```
+admin@example:/config/syslog/…/daemon/> set advanced-compare action block
+```
+
+This will exclude `error` messages from the log.
+
+### Hostname Filtering
+
+When acting as a log server, you can filter messages by hostname.  This
+is useful for directing logs from different devices to separate files:
+
+```
+admin@example:/config/> edit syslog actions log-file file:router1
+admin@example:/config/syslog/…/file:router1/> set hostname-filter router1
+admin@example:/config/syslog/…/file:router1/> set facility-list all severity info
+admin@example:/config/syslog/…/file:router1/> leave
+admin@example:/>
+```
+
+Multiple hostnames can be added to the filter list.
+
+### Property-Based Filtering
+
+For more advanced filtering, you can match on specific message properties
+using various comparison operators:
+
+```
+admin@example:/config/> edit syslog actions log-file file:myapp
+admin@example:/config/syslog/…/file:myapp/> edit property-filter
+admin@example:/config/syslog/…/property-filter/> set property programname
+admin@example:/config/syslog/…/property-filter/> set operator isequal
+admin@example:/config/syslog/…/property-filter/> set value myapp
+admin@example:/config/syslog/…/property-filter/> leave
+admin@example:/>
+```
+
+Available properties:
+- `msg`: Message body
+- `msgid`: RFC5424 message identifier
+- `programname`: Program/tag name
+- `hostname`: Source hostname
+- `source`: Alias for hostname
+- `data`: RFC5424 structured data
+
+Available operators:
+- `contains`: Substring match
+- `isequal`: Exact equality
+- `startswith`: Prefix match
+- `regex`: Basic regular expression
+- `ereregex`: Extended regular expression (POSIX ERE)
+
+The comparison can be made case-insensitive:
+
+```
+admin@example:/config/syslog/…/property-filter/> set case-insensitive true
+```
+
+Or negated to exclude matching messages:
+
+```
+admin@example:/config/syslog/…/property-filter/> set negate true
+```
 
 ### Facilities
 

package/skeleton-init-finit/skeleton/etc/default/sysklogd

@@ -1,5 +1,7 @@
-# -l      :: Keep kernel looging to console
+# -H      :: Log remote messages using hostname from the message
+# -l      :: Keep kernel logging to console
 # -m0     :: Disable periodic syslog MARK entries
+# -n      :: Disable DNS query for every request, trust hostname in message
 # -s      :: Enable secure mode, don't listen to remote logs
 # -r 1M:5 :: Log rotation every 1 MiB and keep 5 rotated ones
-SYSLOGD_ARGS="-l -m0"
+SYSLOGD_ARGS="-H -l -m0"

patches/sysklogd/2.7.2/0001-syslogd-fix-UTF-8-handling-with-8-flag-for-RFC5424-c.patch

@@ -1,7 +1,7 @@
 From 31dfe0d16461d2852f3fc56cb82aed3a23db022f Mon Sep 17 00:00:00 2001
 From: Joachim Wiberg <[email protected]>
 Date: Thu, 25 Sep 2025 16:48:31 +0200
-Subject: [PATCH] syslogd: fix UTF-8 handling with -8 flag, for RFC5424
+Subject: [PATCH 1/4] syslogd: fix UTF-8 handling with -8 flag, for RFC5424
  compliance
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8

patches/sysklogd/2.7.2/0002-syslogd-fix-parentheses-handling-in-RFC-3164-tag-par.patch

@@ -0,0 +1,78 @@
+From f9b6531430c6485af4697a5868a6f43c93d20419 Mon Sep 17 00:00:00 2001
+From: Joachim Wiberg <[email protected]>
+Date: Fri, 26 Sep 2025 08:42:57 +0200
+Subject: [PATCH 2/4] syslogd: fix parentheses handling in RFC 3164 tag parsing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Organization: Wires
+
+Some applications use tag names like "(polkit-agent)" which sysklogd do
+not handle well.  This patch aims to address this and also add a bit of
+logic to normalize such tags:
+
+- Allow parentheses in tag character set for broader compatibility
+- Smart parsing: strip surrounding parentheses from complete tags like
+  "(polkit-agent):" → "polkit-agent", while preserving partial parentheses
+  like "app(version):" unchanged
+- Maintain RFC compliance: both RFC3164 and RFC5424 allow parentheses
+- Preserve all existing functionality and edge case handling
+
+Fixes #104
+
+Signed-off-by: Joachim Wiberg <[email protected]>
+---
+ src/syslogd.c | 35 ++++++++++++++++++++++++++++-------
+ 1 file changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/src/syslogd.c b/src/syslogd.c
+index fa82d98..37e1920 100644
+--- a/src/syslogd.c
++++ b/src/syslogd.c
+@@ -1309,15 +1309,36 @@ parsemsg_rfc3164_app_name_procid(char **msg, char **app_name, char **procid)
+ 	m = *msg;
+ 
+ 	/* Application name. */
+-	app_name_begin = m;
+-	app_name_length = strspn(m,
+-	    "abcdefghijklmnopqrstuvwxyz"
+-	    "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+-	    "0123456789"
+-	    "._-/");
++	/* Check if tag is surrounded by parentheses like (polkit-agent) */
++	if (*m == '(') {
++		char *closing = strchr(m + 1, ')');
++		if (closing && (closing[1] == ':' || closing[1] == '[' || isblank(closing[1]) || closing[1] == '\0')) {
++			/* Found complete parenthetical tag, strip parentheses */
++			app_name_begin = m + 1;
++			app_name_length = closing - (m + 1);
++			m = closing + 1;
++		} else {
++			/* Incomplete or malformed, treat normally */
++			app_name_begin = m;
++			app_name_length = strspn(m,
++			    "abcdefghijklmnopqrstuvwxyz"
++			    "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
++			    "0123456789"
++			    "._-/()");
++			m += app_name_length;
++		}
++	} else {
++		app_name_begin = m;
++		app_name_length = strspn(m,
++		    "abcdefghijklmnopqrstuvwxyz"
++		    "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
++		    "0123456789"
++		    "._-/()");
++		m += app_name_length;
++	}
++
+ 	if (app_name_length == 0)
+ 		goto bad;
+-	m += app_name_length;
+ 
+ 	/* Process identifier (optional). */
+ 	if (*m == '[') {
+-- 
+2.43.0
+