From ecaed9b5baf43e8be12ebf87968cccfd4f9898f8 Mon Sep 17 00:00:00 2001
From: Sonic Build Admin <sonicbld@microsoft.com>
Date: Wed, 12 Mar 2025 22:14:02 +0000
Subject: [PATCH] [rsyslog]: Remote logging with the highest rule priority

<!--
     Please make sure you've read and understood our contributing guidelines:
     https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md

     ** Make sure all your commits include a signature generated with `git commit -s` **

     If this is a bug fix, make sure your description includes "fixes #xxxx", or
     "closes #xxxx" or "resolves #xxxx"

     Please provide the following information:
-->

#### Why I did it
This fix resolves issue with missing certain types of messages while forwarding to the remote server.

Basically, this moves remote syslog forwarding rules to be executed before any other instructions take place,
so everything received by a local syslog instance will be forwarded to the remote machine.

The fix allows remote forwarding of messages defined as:
https://github.com/sonic-net/sonic-buildimage/blob/master/files/image_config/rsyslog/rsyslog.d/00-sonic.conf.j2

#### Work item tracking
* N/A

#### How I did it
* Moved `rsyslog` remote forwarding rules to be on top of other syslog instructions

#### How to verify it
<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->
1. Enable remote syslog forwarding
2. Check for message patterns defined as [00-sonic.conf.j2](https://github.com/sonic-net/sonic-buildimage/blob/master/files/image_config/rsyslog/rsyslog.d/00-sonic.conf.j2)

#### Which release branch to backport (provide reason below if selected)

<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->

- [ ] 201811
- [ ] 201911
- [ ] 202006
- [ ] 202012
- [ ] 202106
- [ ] 202111
- [ ] 202205
- [ ] 202211
- [ ] 202305

#### Tested branch (Please provide the tested image version)

<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->

- [x] master <!-- image version 1 -->

#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->
* N/A

#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->
* N/A

#### A picture of a cute animal (not mandatory but encouraged)
```
      .---.        .-----------
     /     \  __  /    ------
    / /     \(  )/    -----
   //////   ' \/ `   ---
  //// / // :    : ---
 // /   /  /`    '--
//          //..\\
       ====UU====UU====
           '//||\\`
             ''``
```
---
 files/image_config/rsyslog/rsyslog.conf.j2    | 56 +++++++++----------
 src/sonic-config-engine/setup.cfg             |  2 +
 .../tests/sample_output/py3/rsyslog.conf      | 23 ++++----
 .../py3/rsyslog_with_docker0.conf             | 23 ++++----
 4 files changed, 52 insertions(+), 52 deletions(-)
 create mode 100644 src/sonic-config-engine/setup.cfg

diff --git a/files/image_config/rsyslog/rsyslog.conf.j2 b/files/image_config/rsyslog/rsyslog.conf.j2
index b68ba2e77e5b..7958e74bf958 100644
--- a/files/image_config/rsyslog/rsyslog.conf.j2
+++ b/files/image_config/rsyslog/rsyslog.conf.j2
@@ -64,34 +64,6 @@ template(name="WelfRemoteFormat" type="string" string="%TIMESTAMP% id=firewall t
 :::date-year%-%timereported:::date-month%-%timereported:::date-day% %timereported:::date-hour%:%timereported:::date-minute%:%timereported\
 :::date-second%\" fw=\"{{ fw_name }}\" pri=%syslogpriority% msg=\"%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\"\n")
 
-#
-# Set the default permissions for all log files.
-#
-$FileOwner root
-$FileGroup adm
-$FileCreateMode 0640
-$DirCreateMode 0755
-$Umask 0022
-
-#
-# Where to place spool and state files
-#
-$WorkDirectory /var/spool/rsyslog
-
-#
-# Include all config files in /etc/rsyslog.d/
-#
-$IncludeConfig /etc/rsyslog.d/*.conf
-
-#
-# Suppress duplicate messages and report "message repeated n times"
-#
-$RepeatedMsgReduction on
-
-###############
-#### RULES ####
-###############
-
 #
 # Remote syslog logging
 #
@@ -134,3 +106,31 @@ $RepeatedMsgReduction on
 *.{{ severity }}
 action(type="omfwd" Target="{{ server }}" Port="{{ port }}" Protocol="{{ proto }}" Template="{{ template }}"{{ options }})
 {% endfor %}
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+#
+# Suppress duplicate messages and report "message repeated n times"
+#
+$RepeatedMsgReduction on
+
+###############
+#### RULES ####
+###############
diff --git a/src/sonic-config-engine/setup.cfg b/src/sonic-config-engine/setup.cfg
new file mode 100644
index 000000000000..b7e478982ccf
--- /dev/null
+++ b/src/sonic-config-engine/setup.cfg
@@ -0,0 +1,2 @@
+[aliases]
+test=pytest
diff --git a/src/sonic-config-engine/tests/sample_output/py3/rsyslog.conf b/src/sonic-config-engine/tests/sample_output/py3/rsyslog.conf
index e62c29781bc0..6a2aecf9e19a 100644
--- a/src/sonic-config-engine/tests/sample_output/py3/rsyslog.conf
+++ b/src/sonic-config-engine/tests/sample_output/py3/rsyslog.conf
@@ -49,6 +49,17 @@ template(name="WelfRemoteFormat" type="string" string="%TIMESTAMP% id=firewall t
 :::date-year%-%timereported:::date-month%-%timereported:::date-day% %timereported:::date-hour%:%timereported:::date-minute%:%timereported\
 :::date-second%\" fw=\"kvm-host\" pri=%syslogpriority% msg=\"%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\"\n")
 
+#
+# Remote syslog logging
+#
+
+# The omfwd plug-in provides the core functionality of traditional message
+# forwarding via UDP and plain TCP. It is a built-in module that does not need
+# to be loaded.
+
+*.*
+action(type="omfwd" Target="3.3.3.3" Port="514" Protocol="udp" Template="SONiCForwardFormat")
+
 #
 # Set the default permissions for all log files.
 #
@@ -76,15 +87,3 @@ $RepeatedMsgReduction on
 ###############
 #### RULES ####
 ###############
-
-#
-# Remote syslog logging
-#
-
-# The omfwd plug-in provides the core functionality of traditional message
-# forwarding via UDP and plain TCP. It is a built-in module that does not need
-# to be loaded.
-
-*.*
-action(type="omfwd" Target="3.3.3.3" Port="514" Protocol="udp" Template="SONiCForwardFormat")
-
diff --git a/src/sonic-config-engine/tests/sample_output/py3/rsyslog_with_docker0.conf b/src/sonic-config-engine/tests/sample_output/py3/rsyslog_with_docker0.conf
index 0c845227aa13..f6a340e0053e 100644
--- a/src/sonic-config-engine/tests/sample_output/py3/rsyslog_with_docker0.conf
+++ b/src/sonic-config-engine/tests/sample_output/py3/rsyslog_with_docker0.conf
@@ -51,6 +51,17 @@ template(name="WelfRemoteFormat" type="string" string="%TIMESTAMP% id=firewall t
 :::date-year%-%timereported:::date-month%-%timereported:::date-day% %timereported:::date-hour%:%timereported:::date-minute%:%timereported\
 :::date-second%\" fw=\"kvm-host\" pri=%syslogpriority% msg=\"%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\"\n")
 
+#
+# Remote syslog logging
+#
+
+# The omfwd plug-in provides the core functionality of traditional message
+# forwarding via UDP and plain TCP. It is a built-in module that does not need
+# to be loaded.
+
+*.*
+action(type="omfwd" Target="3.3.3.3" Port="514" Protocol="udp" Template="SONiCForwardFormat")
+
 #
 # Set the default permissions for all log files.
 #
@@ -78,15 +89,3 @@ $RepeatedMsgReduction on
 ###############
 #### RULES ####
 ###############
-
-#
-# Remote syslog logging
-#
-
-# The omfwd plug-in provides the core functionality of traditional message
-# forwarding via UDP and plain TCP. It is a built-in module that does not need
-# to be loaded.
-
-*.*
-action(type="omfwd" Target="3.3.3.3" Port="514" Protocol="udp" Template="SONiCForwardFormat")
-