Inconsistent date format in Vault Agent debug logs

[mikegreen]

Describe the bug

Vault agent log output is inconsistent in the date format when running in debug.
Some are YYYY/MM/DD, while others are YYYY-MM-DD
And that correlates to some being in server time (ie, the ones with timezone T) and some zulu.

2020/08/25 00:08:53.746776 [DEBUG] (runner) watching 1 dependencies
2020-08-24T18:09:03.919-0600 [INFO]  auth.handler: renewed auth token
2020/08/25 00:09:14.578845 [DEBUG] Found certificate and set lease duration to 605 seconds

2020-08-24T18:15:29.620-0600 [INFO]  auth.handler: starting renewal process
2020/08/25 00:15:29.620538 [INFO] (runner) stopping
2020/08/25 00:15:29.620562 [DEBUG] (runner) stopping watcher

To Reproduce
Run Vault in agent mode, ie

$ vault agent -config=agent-demo.hcl -log-level=DEBUG

Expected behavior
Log format to be consistent, can be slash or dash delimited, but not mixed.

Environment:

• Vault Server Version (retrieve with vault status): Vault v1.5.0
• Vault CLI Version (retrieve with vault version): Vault v1.4.2+prem
• Server Operating System/Architecture: Darwin CLI, Ubuntu 18.x server

[aphorise]

I'm thinking if this could be ISO formating set local to VM?

@mikegreen - can you provide locale details:

grep -v '#' /etc/locale.gen && printf '___\n' && locale -a && printf '___\n' && locale ;

[mikegreen]

Darwin doesn't seem to have /etc/locale.gen ?

$ locale
LANG="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_CTYPE="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_ALL=

[aphorise]

@mikegreen - can you try setting and running again to see if it impacts anything:

export LANGUAGE=en_US.UTF-8 ;
export LANG=en_US.UTF-8 ;
export LC_ALL=en_US.UTF-8 ;
locale-gen en_US.UTF-8 && dpkg-reconfigure locales ;
# // check again you should have: /etc/locale.gen

Otherwise I think it might actually be related to consul-template.

[aphorise]

Like this part specifically with the logger maybe

[aphorise]

@mikegreen - please also output: locale -k LC_TIME - I think it may actually be related:

uname -a
  # Linux hsm1-vault1 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux

locale -k LC_TIME
  # ...
  # date_fmt="%a %d %b %Y %r %Z"

# // in the case of my MacOs for example:
locale -k LC_TIME
  # ...
  # t_fmt_ampm="%I:%M:%S %p"
  # era=""
  # era_d_fmt=""
  # era_t_fmt=""
  # era_d_t_fmt=""
  # alt_digits=""
  # d_t_fmt="%a %b %e %X %Y"
  # d_fmt="%m/%d/%Y"
  # t_fmt="%H:%M:%S"

[mikegreen]

$ locale-gen en_US.UTF-8 && dpkg-reconfigure locales ;
-bash: locale-gen: command not found

Darwin MacBook-Pro.localdomain 19.6.0 Darwin Kernel Version 19.6.0: Thu Jun 18 20:49:00 PDT 2020; root:xnu-6153.141.1~1/RELEASE_X86_64 x86_64

$ locale -k LC_TIME
ab_day="Sun";"Mon";"Tue";"Wed";"Thu";"Fri";"Sat"
abday="Sun";"Mon";"Tue";"Wed";"Thu";"Fri";"Sat"
day="Sunday";"Monday";"Tuesday";"Wednesday";"Thursday";"Friday";"Saturday"
abmon="Jan";"Feb";"Mar";"Apr";"May";"Jun";"Jul";"Aug";"Sep";"Oct";"Nov";"Dec"
mon="January";"February";"March";"April";"May";"June";"July";"August";"September";"October";"November";"December"
am_pm="AM";"PM"
t_fmt_ampm="%I:%M:%S %p"
era=""
era_d_fmt=""
era_t_fmt=""
era_d_t_fmt=""
alt_digits=""
d_t_fmt="%a %b %e %X %Y"
d_fmt="%m/%d/%Y"
t_fmt="%H:%M:%S"

[aphorise]

Thanks for the input. For clarity the LC... settings do not seem to be related and I've observed the same condition you've shown in both Darwin & Debian. I'm rather confident its related to: consul-template. I can strive to take a look in the coming week (after 3rd of August) if no earlier attention is given to it.

My observations (UTC / 2 hour difference from other log entries)

==> Vault agent configuration:

           Api Address 1: http://127.0.0.1:8200
                     Cgo: disabled
               Log Level: trace
                 Version: Vault v1.5.0
             Version Sha: de37ed221f39704129c02f7a8981c1ac0cf432b4+CHANGES

2020-08-26T11:21:22.457+0200 [INFO]  sink.file: creating file sink
2020-08-26T11:21:22.457+0200 [TRACE] sink.file: enter write_token: path=vault-token-via-agent
2020-08-26T11:21:22.457+0200 [TRACE] sink.file: exit write_token: path=vault-token-via-agent
2020-08-26T11:21:22.457+0200 [INFO]  sink.file: file sink configured: path=vault-token-via-agent mode=-rw-r-----
2020-08-26T11:21:22.459+0200 [DEBUG] cache: auto-auth token is allowed to be used; configuring inmem sink
2020-08-26T11:21:22.459+0200 [INFO]  sink.server: starting sink server
2020-08-26T11:21:22.459+0200 [INFO]  auth.handler: starting auth handler
2020-08-26T11:21:22.459+0200 [INFO]  auth.handler: authenticating
2020-08-26T11:21:22.459+0200 [TRACE] auth.aws: beginning authentication
2020-08-26T11:21:22.459+0200 [INFO]  template.server: starting template server

2020/08/26 09:21:22.460160 [INFO] (runner) creating new runner (dry: false, once: false)
2020/08/26 09:21:22.460938 [DEBUG] (runner) final config: {"..."}
2020/08/26 09:21:22.461309 [INFO] (runner) creating watcher

2020-08-26T11:21:23.368+0200 [INFO]  sink.server: sink server stopped

2020/08/26 09:21:23.368481 [INFO] (runner) stopping
2020/08/26 09:21:23.368496 [DEBUG] (runner) stopping watcher
2020/08/26 09:21:23.368503 [DEBUG] (watcher) stopping all views

2020-08-26T11:21:23.368+0200 [INFO]  auth.handler: auth handler stopped
2020-08-26T11:21:23.368+0200 [INFO]  template.server: template server stopped
2020-08-26T11:21:23.368+0200 [TRACE] auth.aws: shutdown triggered, stopping aws auth handler

[calvn]

I've observed this as well, and it comes from the fact that the template server outputs logs in a format that is different to the rest of the agent's logs. We pass in the same writer to the template server, but it instantiates its own logger and thus adheres to its own logging format. I'll mark this as an enhancement for Agent, thanks for the report!

[aphorise]

I've created the following PR on Consul-Template which seems to fix the issue (not sure I broke anything else)

==> Vault agent configuration:

           Api Address 1: http://127.0.0.1:8300
                     Cgo: disabled
               Log Level: trace
                 Version: Vault v1.5.0
             Version Sha: 8bb35c207ee7e1c2dd77a47edb7e553aaf237f5e

2020-09-03T00:08:27.384+0200 [INFO]  sink.file: creating file sink
2020-09-03T00:08:27.384+0200 [TRACE] sink.file: enter write_token: path=vault-token-via-agent
2020-09-03T00:08:27.384+0200 [TRACE] sink.file: exit write_token: path=vault-token-via-agent
2020-09-03T00:08:27.384+0200 [INFO]  sink.file: file sink configured: path=vault-token-via-agent mode=-rw-r-----
2020-09-03T00:08:27.385+0200 [DEBUG] cache: auto-auth token is allowed to be used; configuring inmem sink
2020-09-03T00:08:27.385+0200 [INFO]  sink.server: starting sink server
2020-09-03T00:08:27.385+0200 [INFO]  auth.handler: starting auth handler
2020-09-03T00:08:27.385+0200 [INFO]  template.server: starting template server
2020-09-03T00:08:27.385+0200 [INFO]  auth.handler: authenticating
2020-09-03T00:08:27.385+0200 [TRACE] auth.aws: beginning authentication
2020-09-03T00:08:27.385+0200 [INFO] (runner) creating new runner (dry: false, once: false)
2020-09-03T00:08:27.386+0200 [DEBUG] (runner) final config: { ……… }
2020-09-03T00:08:27.386+0200 [INFO] (runner) creating watcher
2020-09-03T00:08:27.386+0200 [ERROR] template.server: template server failed to create: error="failed to read template: open customer.tmpl: no such file or directory"
2020-09-03T00:08:27.386+0200 [INFO]  template.server: template server stopped
2020-09-03T00:08:27.387+0200 [ERROR] auth.handler: error authenticating: error="Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/aws/login
Code: 403. Errors:

* 1 error occurred:
	* permission denied

" backoff=2.538875047
^C==> Vault agent shutdown triggered
2020-09-03T00:08:27.948+0200 [INFO]  sink.server: sink server stopped
2020-09-03T00:08:27.948+0200 [TRACE] auth.aws: shutdown triggered, stopping aws auth handler
2020-09-03T00:08:27.948+0200 [INFO]  auth.handler: auth handler stopped

[vishalnayak]

@calvn @mikegreen @aphorise Based on the last comment on this issue, can this be considered fixed? If yes, we can close the issue.

[aphorise]

@vishalnayak - I'm not sure if the latest 1.6.0 build of Vault is with the updated version that included the merged hashicorp/consul-template#1412. It needs checking. The output looks the same atm and issue is not yet resolved.

[mladlow]

We are currently using consul-template 0.25.1, and the change will be released in 0.25.2. The consul-template folks are planning a release at which point we'll be able to update our dependency.

I'll keep bumping the milestone on this so I can keep checking for new releases.

[mladlow]

Consul-template has released 0.25.2, and we'll be using it in 1.7.