sysklogd-next (v3.0)

.github/workflows/build.yml

@@ -11,6 +11,10 @@ on:
     branches:
       - '**'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     # Verify we can build on latest Ubuntu with both gcc and clang
@@ -26,16 +30,15 @@ jobs:
     steps:
       - name: Install dependencies
         run: |
-          sudo apt-get -y update
-          sudo apt-get -y install tree tshark valgrind
-      - uses: actions/checkout@v4
+          sudo apt-get -y install tree tshark valgrind libssl-dev
+      - uses: actions/checkout@v6
       - name: Configure
         run: |
           set -x
           ./autogen.sh
           mkdir -p build/dir
           cd build/dir
-          ../../configure --prefix=/tmp --with-systemd=/tmp/lib/systemd/system
+          ../../configure --prefix=/tmp --with-systemd=/tmp/lib/systemd/system --with-openssl
           chmod -R a+w .
       - name: Build
         run: |
@@ -63,7 +66,7 @@ jobs:
         run: |
           cd build/dir
           make check || (cat test/test-suite.log; false)
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.compiler }}-test-logs
           path: build/dir/test/*.log

.github/workflows/coverity.yml

@@ -15,8 +15,8 @@ jobs:
   coverity:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v6
+      - uses: actions/cache@v5
         id: coverity-toolchain-cache
         with:
           path: cov-analysis-linux64
@@ -53,7 +53,7 @@ jobs:
             --form description="${PROJECT_NAME} $(git rev-parse HEAD)" \
             https://scan.coverity.com/builds?project=${COVERITY_PROJ}
       - name: Upload build.log
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: coverity-build.log
           path: cov-int/build-log.txt

.github/workflows/release.yml

@@ -11,10 +11,9 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Installing dependencies ...
         run: |
-          sudo apt-get -y update
           sudo apt-get -y install tree tshark valgrind
       - name: Creating Makefiles ...
         run: |

ChangeLog.md

@@ -4,6 +4,36 @@ Change Log
 All relevant changes to the project are documented in this file.
 
 
+[UNRELEASED][]
+-----------------------
+
+### Changes
+- Add TCP transport for syslog forwarding per RFC 6587.  Two syntaxes
+  supported for forwarding: `@@host:port` and `tcp://host:port`.  For
+  receiving: `listen tcp://addr:port`.  Uses octet counting framing
+  for sending, supports both octet counting and LF-delimited framing
+  for receiving
+- Add optional RFC 5848 signed syslog message support.  Requires
+  OpenSSL and `./configure --with-openssl`.  New config options:
+  `sign_sg`, `sign_delim_sg2`, `sign_keyfile`, `sign_certfile`.
+  Provides cryptographic signing of messages for origin authentication,
+  message integrity, and replay resistance
+- Add optional RFC 5425 TLS transport for syslog.  Requires OpenSSL
+  and `./configure --with-openssl`.  Three syntaxes supported for
+  forwarding: `@@@host:port`, `tls://host:port`, and `tls4://` or
+  `tls6://` for IPv4/IPv6 specific.  For receiving: `listen tls://addr:port`.
+  New config options: `tls_keyfile`, `tls_certfile`, `tls_cafile`,
+  `tls_capath`, `tls_verify`.  Per-action options: `verify=off|optional|
+  required|hostname`, `fingerprint=SHA256:...` for certificate pinning,
+  `tls_keyfile=`, `tls_certfile=` for mutual TLS authentication.
+  Default port is 6514 per RFC 5425
+
+### Fixes
+- Fix use-after-free in socket polling when callbacks close sockets
+  during iteration.  Could cause undefined behavior when handling
+  multiple concurrent TCP connections
+
+
 [v2.7.2][] - 2025-03-31
 -----------------------
 
@@ -692,7 +722,7 @@ and a replacement for `syslog.h` to enable new features in RFC5424.
 - Several bugfixes and improvements, please refer to the .c files
 
 
-[UNRELEASED]: https://github.com/troglobit/sysklogd/compare/v2.7.1...HEAD
+[UNRELEASED]: https://github.com/troglobit/sysklogd/compare/v2.7.2...HEAD
 [v2.7.2]:     https://github.com/troglobit/sysklogd/compare/v2.7.1...v2.7.2
 [v2.7.1]:     https://github.com/troglobit/sysklogd/compare/v2.7.0...v2.7.1
 [v2.7.0]:     https://github.com/troglobit/sysklogd/compare/v2.6.2...v2.7.0

README.md

@@ -13,34 +13,38 @@
 Table of Contents
 -----------------
 
-* [Introduction](#introduction)
-* [Using -lsyslog](#using--lsyslog)
-* [Build & Install](#build--install)
-* [Building from GIT](#building-from-git)
-* [Origin & References](#origin--references)
-
-> **Tip:** the Gentoo project has a very nice article detailing sysklogd
+- [Introduction](#introduction)
+- [Using -lsyslog](#using--lsyslog)
+- [Build & Install](#build--install)
+- [Building from GIT](#building-from-git)
+- [Origin & References](#origin--references)
+
+> [!TIP]
+> The Gentoo project has a very nice article detailing sysklogd
 > ➤ <https://wiki.gentoo.org/wiki/Sysklogd>
 
-
 Introduction
 ------------
 
-This is the continuation of the original Debian/Ubuntu syslog daemon,
-updated with full [RFC3164][] and [RFC5424][] support from NetBSD and
-FreeBSD.  The package includes the `libsyslog.{a,so}` library with a
-`syslog.h` header replacement, the `syslogd` daemon, and a command
-line tool called `logger`.
+This is the continuation of the original Debian/Ubuntu syslog daemon, updated to
+full RFC compliance according to syslog standards [RFC3164][] and [RFC5424][],
+derived from NetBSD and FreeBSD.  It also supports TCP ([RFC6587][]) and TLS
+encrypted transport ([RFC5425][]), as well as cryptographically signed log
+messages ([RFC5848][]).
 
-- https://man.troglobit.com/man1/logger.1.html
-- https://man.troglobit.com/man8/syslogd.8.html
-- https://man.troglobit.com/man5/syslog.conf.5.html
+The package includes the `libsyslog.{a,so}` library with a `syslog.h` header
+replacement, the `syslogd` daemon, and a command line tool called `logger`.
+`libsyslog` and `syslog/syslog.h` are derived directly from NetBSD and expose
+`syslogp()` and other new features available only in [RFC5424][] (not yet
+available in GLIBC).
 
-`libsyslog` and `syslog/syslog.h`, derived directly from NetBSD, expose
-`syslogp()` and other new features available only in [RFC5424][]:
+Read more about each component and the APIs:
 
-- https://man.troglobit.com/man3/syslogp.3.html
-- https://netbsd.gw.com/cgi-bin/man-cgi?syslog+3+NetBSD-current
+- <https://man.troglobit.com/man1/logger.1.html>
+- <https://man.troglobit.com/man8/syslogd.8.html>
+- <https://man.troglobit.com/man5/syslog.conf.5.html>
+- <https://man.troglobit.com/man3/syslogp.3.html>
+- <https://netbsd.gw.com/cgi-bin/man-cgi?syslog+3+NetBSD-current>
 
 The `syslogd` daemon is an enhanced version of the standard Berkeley
 utility program, updated with DNA from FreeBSD.  It provides logging of
@@ -88,6 +92,12 @@ Main differences from the original sysklogd package are:
 - Touch PID file on `SIGHUP`, for integration with [Finit][]
 - GNU configure & build system to ease porting/cross-compiling
 - Support for configuring remote syslog timeout
+- Support for [RFC6587][] TCP syslog transport, for sender and receiver
+- Per-destination in-memory send queue for TCP forwarding: messages accumulate
+  during outages and are flushed automatically on reconnect, with configurable
+  suspension time (`tcp_suspend_time` in `syslog.conf`)
+- Support for [RFC5425][] TLS encrypted syslog transport (only if built with OpenSSL support)
+- Support for [RFC5848][] cryptographically signed log messages (only if built with OpenSSL support)
 
 Please file bug reports, or send pull requests for bug fixes and/or
 proposed extensions at [GitHub][Home].
@@ -208,6 +218,9 @@ now [3-clause BSD][BSD License] licensed.
 
 [RFC3164]:          https://tools.ietf.org/html/rfc3164
 [RFC5424]:          https://tools.ietf.org/html/rfc5424
+[RFC5425]:          https://tools.ietf.org/html/rfc5425
+[RFC5848]:          https://tools.ietf.org/html/rfc5848
+[RFC6587]:          https://tools.ietf.org/html/rfc6587
 [Martin Schulze]:   http://www.infodrom.org/projects/sysklogd/
 [Joachim Wiberg]:   https://troglobit.com
 [Finit]:            https://github.com/troglobit/finit

configure.ac

@@ -25,7 +25,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 
-AC_INIT([sysklogd], [2.7.2],
+AC_INIT([sysklogd], [3.0.0-beta1],
 	[https://github.com/troglobit/sysklogd/issues],,
 	[https://github.com/troglobit/sysklogd])
 AC_CONFIG_AUX_DIR(aux)
@@ -87,6 +87,23 @@ AC_ARG_WITH(logger,
 AS_IF([test "x$logger" != "xno"], with_logger="yes", with_logger="no")
 AM_CONDITIONAL([ENABLE_LOGGER], [test "x$with_logger" != "xno"])
 
+# Optional OpenSSL support for RFC 5848 signed syslog messages
+AC_ARG_WITH([openssl],
+     AS_HELP_STRING([--with-openssl], [Enable RFC 5848 signed syslog messages (requires OpenSSL)]),
+     [], [with_openssl=no])
+
+AS_IF([test "x$with_openssl" != "xno"], [
+     PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.1.0], [
+          AC_DEFINE([HAVE_OPENSSL], [1], [Define if OpenSSL is available for RFC 5848 signing])
+          have_openssl=yes
+     ], [
+          AS_IF([test "x$with_openssl" = "xyes"],
+               [AC_MSG_ERROR([OpenSSL >= 1.1.0 requested but not found])])
+          have_openssl=no
+     ])
+], [have_openssl=no])
+AM_CONDITIONAL([ENABLE_SSL], [test "x$have_openssl" = "xyes"])
+
 AS_IF([test "x$dns_delay" != "xno"],[
 	AS_IF([test "x$dns_delay" = "xyes"],[
 		AC_MSG_ERROR([Must supply argument])])
@@ -149,6 +166,7 @@ cat <<EOF
   dns retry delay: $dns_delay sec
   suspend time...: $suspend_time sec
   systemd........: $with_systemd
+  RFC5848 signing: $have_openssl
 
 ------------- Compiler version --------------
 $($CC --version || true)

man/logger.1

@@ -33,7 +33,7 @@
 .Nd Send messages to system log daemon, or a log file
 .Sh SYNOPSIS
 .Nm
-.Op Fl 46bchiknsv
+.Op Fl 46bchiknsvV
 .Op Fl d Ar SD
 .Op Fl f Ar FILE
 .Op Fl h Ar HOST
@@ -47,7 +47,7 @@
 .Op Fl t Ar TAG
 .Op Fl u Ar SOCK
 .Op Ar MESSAGE
-.Sh DESCRIPTIOMN
+.Sh DESCRIPTION
 .Nm
 can be used to log messages to a local or remote system log daemon, or a
 log file, from a UNIX shell, or script.  The new
@@ -109,9 +109,25 @@ will be used.  This is the same as using the special character
 as the
 .Ar hostname .
 .It Fl h Ar host
-Send the message to the remote system
+Send the message to the remote syslog server
 .Ar host
 instead of logging it locally.
+The argument may include a transport prefix and an optional port:
+.Bl -tag -compact -width "tcp://HOST:PORT"
+.It Cm udp:// Ns Ar HOST Ns Op : Ns Ar PORT
+Send over UDP (default when no prefix is given).
+.It Cm tcp:// Ns Ar HOST Ns Op : Ns Ar PORT
+Send over TCP using RFC 6587 octet-count framing.
+.El
+When a port is embedded in the URL it takes precedence over
+.Fl P .
+IPv6 addresses require bracket notation:
+.Ql tcp://[::1]:514 .
+Note: bare IPv6 address literals (e.g.
+.Ql ::1 )
+are not supported directly in
+.Fl h ;
+always use bracket notation when specifying an IPv6 address.
 .It Fl I Ar PID
 Like
 .Fl i ,
@@ -194,6 +210,16 @@ Log to UNIX domain socket
 .Ar SOCK
 instead of the default
 .Pa /dev/log .
+.It Fl V
+Verbose mode.
+Prints diagnostic information to
+.Ar stderr :
+the resolved peer address and port, and for TCP the connection status
+and the exact syslog-formatted message transmitted.
+Useful for verifying that a remote syslogd is reachable and that the
+message content matches the expected format for filter rules.
+For UDP only the resolved peer is shown, since the transport gives
+no delivery confirmation.
 .It Fl v
 Show program version.
 .It Ar MESSAGE
@@ -213,6 +239,9 @@ call.
 .Bd -unfilled -offset left
 logger -t dropbear -p auth.notice "Successful login for user 'admin' from 1.2.3.4"
 logger -t udhcpc -f /tmp/script.log "New lease 1.2.3.200 obtained for interface eth0"
+logger -p kern.warn -h tcp://logserver:514 "test message over TCP"
+logger -p kern.warn -h tcp://[::1]:514 "test message to local IPv6 TCP listener"
+logger -V -p kern.warn -h tcp://logserver:514 -t myapp "verify syslogd setup"
 .Ed
 .Sh FILES
 .Bl -tag -width /dev/log -compact