Is it possible to specify a restriction on the minimum length of a syslog message? We often receive small, malformed messages that we do not want to transmit. Thanks, Vincent
On Thu, 2011-12-15 at 08:53 -0500, vincent@ragosta.net wrote:
Is it possible to specify a restriction on the minimum length of a syslog message? We often receive small, malformed messages that we do not want to transmit.
Right now it isn't. Maybe if you could match against them with a regexp, though that could be expensive. IIRC PCRE has repetition count limits, so you could do something like: To match for maximum 16 characters. filter f_malformed { match('.{,16}'); }; I'm not sure about the syntax though. -- Bazsi
Balazs Scheidler <bazsi@balabit.hu> writes:
On Thu, 2011-12-15 at 08:53 -0500, vincent@ragosta.net wrote:
Is it possible to specify a restriction on the minimum length of a syslog message? We often receive small, malformed messages that we do not want to transmit.
Right now it isn't. Maybe if you could match against them with a regexp, though that could be expensive. IIRC PCRE has repetition count limits, so you could do something like:
To match for maximum 16 characters.
filter f_malformed { match('.{,16}'); };
I'm not sure about the syntax though.
Another option is to write a template function that returns the string length, and combine that with $(if). So we'd end up with something like this: f_malformed { match ('-', value ("$(if ($(length "${MSG}") <= 16) "-" "+")")); }; The if would return - if the message is shorter or equal to 16 chars, + otherwise, and the match would match only those that are -. This might be faster than the regexp trick, but requires writing the length template function. Doing so would be very easy though, about 10 lines of code or so. -- |8]
On Wed, 2011-12-21 at 14:47 +0100, Gergely Nagy wrote:
Balazs Scheidler <bazsi@balabit.hu> writes:
On Thu, 2011-12-15 at 08:53 -0500, vincent@ragosta.net wrote:
Is it possible to specify a restriction on the minimum length of a syslog message? We often receive small, malformed messages that we do not want to transmit.
Right now it isn't. Maybe if you could match against them with a regexp, though that could be expensive. IIRC PCRE has repetition count limits, so you could do something like:
To match for maximum 16 characters.
filter f_malformed { match('.{,16}'); };
I'm not sure about the syntax though.
Another option is to write a template function that returns the string length, and combine that with $(if).
So we'd end up with something like this:
f_malformed { match ('-', value ("$(if ($(length "${MSG}") <= 16) "-" "+")")); };
The if would return - if the message is shorter or equal to 16 chars, + otherwise, and the match would match only those that are -.
This might be faster than the regexp trick, but requires writing the length template function. Doing so would be very easy though, about 10 lines of code or so.
I think it became about 15 instead, but some of that is whitespace: $ git show commit 3d05ee23122a707c74bd53f8bc33f535aa34b912 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Thu Dec 22 15:14:49 2011 +0100 basic-funcs: implement $(length) function The idea behind the $(length) function is to make it possible to filter based on value length, such as: f_malformed { match ('-', value ("$(if ($(length "${MSG}") <= 16) "-" "+")")); }; Reported-By: Gergely Nagy <algernon@balabit.hu> Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> diff --git a/modules/basicfuncs/basic-funcs.c b/modules/basicfuncs/basic-funcs.c index 60ac178..472e781 100644 --- a/modules/basicfuncs/basic-funcs.c +++ b/modules/basicfuncs/basic-funcs.c @@ -46,6 +46,7 @@ static Plugin basicfuncs_plugins[] = /* str-funcs */ TEMPLATE_FUNCTION_PLUGIN(tf_echo, "echo"), + TEMPLATE_FUNCTION_PLUGIN(tf_length, "length"), TEMPLATE_FUNCTION_PLUGIN(tf_substr, "substr"), TEMPLATE_FUNCTION_PLUGIN(tf_strip, "strip"), TEMPLATE_FUNCTION_PLUGIN(tf_sanitize, "sanitize"), diff --git a/modules/basicfuncs/str-funcs.c b/modules/basicfuncs/str-funcs.c index 2be5f3b..219b8e2 100644 --- a/modules/basicfuncs/str-funcs.c +++ b/modules/basicfuncs/str-funcs.c @@ -18,6 +18,21 @@ tf_echo(LogMessage *msg, gint argc, GString *argv[], GString *result) TEMPLATE_FUNCTION_SIMPLE(tf_echo); +static void +tf_length(LogMessage *msg, gint argc, GString *argv[], GString *result) +{ + gint i; + + for (i = 0; i < argc; i++) + { + format_uint32_padded(result, 0, 0, 10, argv[i]->len); + if (i < argc - 1) + g_string_append_c(result, ' '); + } +} + +TEMPLATE_FUNCTION_SIMPLE(tf_length); + /* * $(substr $arg START [LEN]) */ diff --git a/tests/unit/test_template.c b/tests/unit/test_template.c index 6e394df..4c842a0 100644 --- a/tests/unit/test_template.c +++ b/tests/unit/test_template.c @@ -298,6 +298,10 @@ main(int argc G_GNUC_UNUSED, char *argv[] G_GNUC_UNUSED) testcase(msg, "$(echo '\"$(echo $(echo $HOST))\"' $PID)", "\"bzorp\" 23323"); testcase(msg, "$(ipv4-to-int $SOURCEIP)", "168496141"); + testcase(msg, "$(length $HOST $PID)", "5 5"); + testcase(msg, "$(length $HOST)", "5"); + testcase(msg, "$(length)", ""); + testcase(msg, "$(grep 'facility(local3)' $PID)", "23323,23323"); testcase(msg, "$(grep 'facility(local3)' $PID $PROGRAM)", "23323,syslog-ng,23323,syslog-ng"); testcase(msg, "$(grep 'facility(local4)' $PID)", ""); -- Bazsi
participants (3)
-
Balazs Scheidler
-
Gergely Nagy
-
vincent@ragosta.net