Rust Syslog Sniffer

A syslog packet sniffer written in Rust.

Building and Running

Local Build

# Build the project
make build

# Run tests
make test

# Run the application
make run

Supported Architectures

• linux/amd64: Standard 64-bit Intel/AMD systems
• linux/arm64: Raspberry Pi 3, 4, 5, and other ARM64 devices
• linux/arm/v7: 32-bit Raspberry Pi and other ARMv7 devices

Docker Build

The project uses Debian Trixie-based Docker images for runtime compatibility and wider ecosystem support.

Two Dockerfiles:

• Dockerfile - Builds from source (for local development and testing)
• Dockerfile.release - Uses pre-built binaries (for published multi-arch images)

Build Docker Image

make docker-build

Or manually:

docker build -t syslog_sniffer:latest .

Run Docker Container

# Run with default options
make docker-run

# Run with custom arguments
make docker-run ARGS="--interface eth0 --port 514"

# Run with custom interface (manual docker command)
docker run --rm --cap-add=NET_RAW --cap-add=NET_ADMIN \
  --network host \
  syslog_sniffer:latest --interface eth0

# Run interactively
make docker-run-interactive

Published Docker Images

The image is published on Docker Hub at: docker.io/hellqvio/syslog_sniffer

Multi-architecture support:

• linux/amd64 - Standard 64-bit Intel/AMD systems
• linux/arm64 - Raspberry Pi 3, 4, 5, and other ARM64 devices
• linux/arm/v7 - 32-bit Raspberry Pi and other ARMv7 devices

# Pull and run the latest release
docker run --rm --user root --cap-add=NET_RAW --cap-add=NET_ADMIN --network host \
  docker.io/hellqvio/syslog_sniffer:latest --interface eth0

# With custom arguments
docker run --rm --user root --cap-add=NET_RAW --cap-add=NET_ADMIN --network host \
  docker.io/hellqvio/syslog_sniffer:latest --interface eth0 --port 1514

Note: The container requires NET_RAW and NET_ADMIN capabilities for packet capture. Using --network host allows the container to access the host's network interfaces. We also use --user root to ensure the process has permission to use these capabilities.

Troubleshooting

Start bash in the container to debug:

# Debug with default capabilities
make docker-run-interactive

# Debug with privileged mode (if you get "Operation not permitted")
make docker-run-interactive PRIVILEGED=1

Note

Why "Operation not permitted"? Even with NET_RAW and NET_ADMIN capabilities, host security modules (SELinux on Fedora/RHEL, AppArmor on Debian/Ubuntu) may block the container from opening raw sockets or accessing physical network interfaces.

Common Fix: Ensure you are running as root (--user root) inside the container.

If the error persists, you have two options:

1. Run with privileged mode (Recommended):

   • Make: make docker-run PRIVILEGED=1
   • Manual: docker run --user root --privileged ...

2. Disable specific security profiles (Advanced): Fedora/RHEL (SELinux):

   • Make: make docker-run DOCKER_OPTS="--security-opt label=disable"
   • Manual: docker run --user root --security-opt label=disable ...

   Debian/Ubuntu (AppArmor):

   • Make: make docker-run DOCKER_OPTS="--security-opt apparmor=unconfined"
   • Manual: docker run --user root --security-opt apparmor=unconfined ...

Push to Registry

# Tag and push to your registry
make docker-push REGISTRY=docker.io/yourusername

# Or manually
docker tag syslog_sniffer:latest docker.io/yourusername/syslog_sniffer:latest
docker push docker.io/yourusername/syslog_sniffer:latest

Docker Image Details

• Base Image: Debian Trixie Slim (glibc compatibility, optimized size)
• Build Image: ~30MB (from source)
• Release Image: ~15MB (pre-built binaries)

Available Make Targets

Run make help to see all available targets:

make build              # Build the Rust project
make test               # Run tests
make docker-build       # Build Docker image
make docker-run         # Run Docker container
make docker-push        # Push to registry (requires REGISTRY variable)
make docker-clean       # Remove Docker images

make clean              # Clean build artifacts
make coverage           # Generate coverage report
make sbom               # Generate CycloneDX SBOM

Usage

syslog_sniffer [OPTIONS]

Options:
  --interface <INTERFACE>  Network interface to sniff (e.g., eth0)
  --port <PORT>           Syslog port to monitor (default: 514)
  --help                  Print help information

Development

# Format code
make format

# Run linter
make clippy

# Check code
make check

# Generate coverage
make coverage
# Detailed HTML report will be available at tarpaulin-report.html

Supply Chain Security (SBOM)

This project integrates SBOM (Software Bill of Materials) generation and embedding to ensure supply chain security:

• Embedded SBOM: Production binaries are built using cargo-auditable, which embeds the dependency list directly into the executable.
• CycloneDX SBOM: Standardized SBOM files in JSON format are generated during the CI process and available as release artifacts.
• Local Generation: Use make sbom to generate a local CycloneDX SBOM.

To inspect the embedded SBOM in a binary, you can use cargo auditable extract <path-to-binary>.

CI/CD

This project uses GitHub Actions for continuous integration. The workflow runs on every push and pull request to main or master branches.

It performs the following checks:

• Formatting: Checks code formatting with cargo fmt.
• Linting: Runs cargo clippy to catch common mistakes.
• Tests: Runs unit tests with cargo test.
• E2E Tests: Runs the Docker-based end-to-end test script tests/e2e_docker.sh.

License

MIT