[syslog-ng]replacing part of prog name with hostname
Balazs Scheidler
bazsi@balabit.hu
Mon, 6 Jan 2003 13:48:14 +0100
On Mon, Jan 06, 2003 at 10:24:27AM +0100, Balazs Scheidler wrote:
> On Sat, Jan 04, 2003 at 12:50:30PM -0800, Nate Campi wrote:
> > On Sat, Jan 04, 2003 at 02:55:51PM +0300, Borzenkov Andrey wrote:
> > > > It knows to actually shift the message over one place to the right and
> > > > stick the value of the $FULLHOST_FROM macro in there. Even if I tried
> > > > templating out the message on my own syslog-ng will still think that
> > > > "ctlds" or "last" isn't part of the message and it'll get lost.
> > >
> > > Better is to implement source templates. This way you can precisely describe
> > > input line, so if you know your source never appends host name, you just
> > > omit this from template. Something like
> > >
> > > source s_stream { unix-stream("/dev/log" max-connections(10)); template(DATE
> > > PROG[PID]:... );};
> >
> > You missed the fact that before you ever get around to templating, part
> > of the program name is *already* lost. It's too late for that.
>
> he meant 'source templates' to specify how to parse messages. while that
> would be interesting it is less than trivial.
>
> I'm trying to hack a bad_hostname() feature right now.
I'm finished, Nate can you test if this patch is good for your problem?
Usage: new global option named bad_hostname(), expects a regular expression
which should match all bad hostnames:
options { bad_hostname("^ctld$"); };
It is currently a global option, and I don't think it will become a
per-source option in 1.5.x.
I only tested it on Linux.
Index: ChangeLog
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/ChangeLog,v
retrieving revision 1.67
diff -u -r1.67 ChangeLog
--- ChangeLog 5 Dec 2002 16:23:50 -0000 1.67
+++ ChangeLog 6 Jan 2003 12:42:54 -0000
@@ -1,3 +1,19 @@
+2003-01-06 Balazs Scheidler <bazsi@balabit.balabit>
+
+ * af*.c: updated to call make_log_reader according to the latest
+ interface change
+
+ * src/log.c (make_log_info): expect a new argument (bad_hostname),
+ (parse_log_msg): check if the hostname matches bad_hostname, and
+ if it does do not interpret it as a hostname
+
+ * src/sources.c (make_log_reader): new argument, a regular
+ expression which matches bad hostnames
+
+2002-12-18 Balazs Scheidler <bazsi@balabit.balabit>
+
+ * configure.in: bumped version number to 1.5.24
+
2002-12-05 Balazs Scheidler <bazsi@balabit.balabit>
* src/afinet.c (inet_address_setip): check addr if it is NULL
Index: src/affile.c
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/affile.c,v
retrieving revision 1.56
diff -u -r1.56 affile.c
--- src/affile.c 30 Oct 2002 19:28:11 -0000 1.56
+++ src/affile.c 6 Jan 2003 12:42:54 -0000
@@ -162,7 +162,7 @@
if (do_open_file(self->name, flags, -1, -1, -1, -1, -1, -1, 0, &fd)) {
lseek(fd, 0, SEEK_END);
self->src = io_read(make_io_fd(cfg->backend, fd, ol_string_use(self->name)),
- make_log_reader(0, self->prefix, cfg->log_msg_size, self->pad_size, cfg->check_hostname ? LF_CHECK_HOSTNAME : 0, c),
+ make_log_reader(0, self->prefix, cfg->log_msg_size, self->pad_size, cfg->check_hostname ? LF_CHECK_HOSTNAME : 0, cfg->bad_hostname, c),
NULL);
self->res = REMEMBER_RESOURCE(cfg->resources, &self->src->super.super);
return ST_OK | ST_GOON;
Index: src/afinet.c
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/afinet.c,v
retrieving revision 1.21
diff -u -r1.21 afinet.c
--- src/afinet.c 5 Dec 2002 16:23:50 -0000 1.21
+++ src/afinet.c 6 Jan 2003 12:42:54 -0000
@@ -89,13 +89,13 @@
notice("AF_INET client connected from %S, port %i\n",
inet->ip, inet->port);
io_read(self->client,
- make_log_reader(0, NULL, cfg->log_msg_size, 0, cfg->check_hostname ? LF_CHECK_HOSTNAME : 0, c),
+ make_log_reader(0, NULL, cfg->log_msg_size, 0, cfg->check_hostname ? LF_CHECK_HOSTNAME : 0, cfg->bad_hostname, c),
make_afsocket_source_close_callback(self));
}
else {
/* SOCK_DGRAM */
io_read(self->client,
- make_log_reader(1, NULL, cfg->log_msg_size, 0, cfg->check_hostname ? LF_CHECK_HOSTNAME : 0, c),
+ make_log_reader(1, NULL, cfg->log_msg_size, 0, cfg->check_hostname ? LF_CHECK_HOSTNAME : 0, cfg->bad_hostname, c),
make_afsocket_source_close_callback(self));
}
Index: src/afstreams.c
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/afstreams.c,v
retrieving revision 1.14
diff -u -r1.14 afstreams.c
--- src/afstreams.c 21 Aug 2002 14:03:50 -0000 1.14
+++ src/afstreams.c 6 Jan 2003 12:42:54 -0000
@@ -77,6 +77,7 @@
(name stream_fd)
(super nonblocking_fd)
(vars
+ (bad_hostname special-struct regex_t #f regfree)
(pipe object log_handler)))
*/
@@ -145,7 +146,7 @@
length = eol - bol;
if (length) {
- li = make_log_info(length, bol, NULL, 0);
+ li = make_log_info(length, bol, NULL, 0, NULL);
li->pri = pri;
HANDLE_LOG(self->pipe, li);
}
@@ -160,6 +161,7 @@
struct nonblocking_fd *io_stream_get(struct io_backend *backend,
int fd,
+ UINT8 *hostname_re,
struct log_handler *pipe)
{
NEW(stream_fd, f);
@@ -169,6 +171,10 @@
f->super.read = stream_read_callback;
f->super.want_read = 1;
f->pipe = pipe;
+ if (hostname_re == NULL)
+ regcomp(&self->bad_hostname, "^$", REG_NOSUB | REG_EXTENDED);
+ else
+ regcomp(&self->bad_hostname, hostname_re, REG_NOSUB | REG_EXTENDED);
return &f->super;
}
@@ -220,7 +226,7 @@
close(fd);
return ST_FAIL | ST_QUIT;
}
- self->stream_fd = io_stream_get(cfg->backend, fd, c);
+ self->stream_fd = io_stream_get(cfg->backend, fd, cfg->bad_hostname, c);
REMEMBER_RESOURCE(cfg->resources, &self->stream_fd->super);
Index: src/afunix.c
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/afunix.c,v
retrieving revision 1.24
diff -u -r1.24 afunix.c
--- src/afunix.c 4 Sep 2002 14:52:25 -0000 1.24
+++ src/afunix.c 6 Jan 2003 12:42:54 -0000
@@ -51,7 +51,7 @@
CAST(afsocket_source_connection, self, c);
io_read(self->client,
- make_log_reader(!!(self->owner->flags & AFSOCKET_DGRAM), NULL, cfg->log_msg_size, 0, cfg->check_hostname ? LF_CHECK_HOSTNAME : 0, c),
+ make_log_reader(!!(self->owner->flags & AFSOCKET_DGRAM), NULL, cfg->log_msg_size, 0, cfg->check_hostname ? LF_CHECK_HOSTNAME : 0, cfg->bad_hostname, c),
make_afsocket_source_close_callback(self));
return ST_OK | ST_GOON;
Index: src/center.c
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/center.c,v
retrieving revision 1.19
diff -u -r1.19 center.c
--- src/center.c 25 Aug 2001 13:11:48 -0000 1.19
+++ src/center.c 6 Jan 2003 12:42:54 -0000
@@ -154,6 +154,7 @@
}
next_connection:
+ ;
}
}
Index: src/cfg-grammar.y
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/cfg-grammar.y,v
retrieving revision 1.56
diff -u -r1.56 cfg-grammar.y
--- src/cfg-grammar.y 21 Aug 2002 14:03:50 -0000 1.56
+++ src/cfg-grammar.y 6 Jan 2003 12:42:54 -0000
@@ -75,7 +75,7 @@
/* option items */
%token KW_FLAGS KW_CATCHALL KW_FALLBACK KW_FINAL
-%token KW_FSYNC KW_MARK_FREQ KW_SYNC_FREQ KW_STATS_FREQ KW_CHAIN_HOSTNAMES KW_KEEP_HOSTNAME KW_CHECK_HOSTNAME
+%token KW_FSYNC KW_MARK_FREQ KW_SYNC_FREQ KW_STATS_FREQ KW_CHAIN_HOSTNAMES KW_KEEP_HOSTNAME KW_CHECK_HOSTNAME KW_BAD_HOSTNAME
%token KW_LOG_FIFO_SIZE KW_LOG_MSG_SIZE
%token KW_TIME_REOPEN KW_TIME_REAP KW_USE_TIME_RECVD
%token KW_USE_DNS KW_USE_FQDN KW_GC_BUSY_THRESHOLD
@@ -575,6 +575,7 @@
| KW_CHAIN_HOSTNAMES '(' yesno ')' { configuration->chain_hostnames = $3; }
| KW_KEEP_HOSTNAME '(' yesno ')' { configuration->keep_hostname = $3; }
| KW_CHECK_HOSTNAME '(' yesno ')' { configuration->check_hostname = $3; }
+ | KW_BAD_HOSTNAME '(' STRING ')' { cfg_set_bad_hostname($3); }
| KW_USE_TIME_RECVD '(' yesno ')' { configuration->use_time_recvd = $3; }
| KW_USE_FQDN '(' yesno ')' { configuration->use_fqdn = $3; };
| KW_USE_DNS '(' yesno ')' { configuration->use_dns = $3; };
Index: src/cfg-lex.l
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/cfg-lex.l,v
retrieving revision 1.25
diff -u -r1.25 cfg-lex.l
--- src/cfg-lex.l 21 Aug 2002 14:03:50 -0000 1.25
+++ src/cfg-lex.l 6 Jan 2003 12:42:54 -0000
@@ -61,6 +61,7 @@
{ "use_fqdn", KW_USE_FQDN },
{ "use_dns", KW_USE_DNS },
{ "check_hostname", KW_CHECK_HOSTNAME },
+ { "bad_hostname", KW_BAD_HOSTNAME },
{ "gc_threshold", KW_GC_BUSY_THRESHOLD },
{ "gc_busy_threshold", KW_GC_BUSY_THRESHOLD },
{ "gc_idle_threshold", KW_GC_IDLE_THRESHOLD },
Index: src/cfgfile.c
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/cfgfile.c,v
retrieving revision 1.39
diff -u -r1.39 cfgfile.c
--- src/cfgfile.c 26 Apr 2002 09:43:54 -0000 1.39
+++ src/cfgfile.c 6 Jan 2003 12:42:54 -0000
@@ -125,6 +125,11 @@
configuration->dir_perm = perm;
}
+void cfg_set_bad_hostname(char *bad_hostname)
+{
+ configuration->bad_hostname = bad_hostname;
+}
+
struct persistent_info *
make_persistent_info(struct ol_string *name,
struct ol_object *o,
@@ -320,6 +325,7 @@
self->dns_cache_expire = 3600;
self->dns_cache_expire_failed = 60;
self->log_msg_size = 2048;
+ self->bad_hostname = NULL;
if ((cfg = fopen(name, "r")) != NULL) {
lex_init(cfg);
res = yyparse();
Index: src/cfgfile.h
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/cfgfile.h,v
retrieving revision 1.25
diff -u -r1.25 cfgfile.h
--- src/cfgfile.h 18 Oct 2002 12:31:08 -0000 1.25
+++ src/cfgfile.h 6 Jan 2003 12:42:54 -0000
@@ -57,6 +58,7 @@
(use_fqdn simple UINT32)
(use_dns simple UINT32)
(check_hostname simple UINT32)
+ (bad_hostname pointer UINT8)
(create_dirs simple UINT32)
(uid simple int)
(gid simple int)
@@ -129,10 +131,7 @@
void cfg_set_dir_owner(char *uid);
void cfg_set_dir_group(char *gid);
void cfg_set_dir_perm(int perm);
-
-
-
-
+void cfg_set_bad_hostname(char *bad_hostname);
struct syslog_config *make_syslog_config(const char *name, struct io_backend *backend);
Index: src/filters.c
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/filters.c,v
retrieving revision 1.16
diff -u -r1.16 filters.c
--- src/filters.c 4 Feb 2002 16:07:50 -0000 1.16
+++ src/filters.c 6 Jan 2003 12:42:54 -0000
@@ -34,6 +34,7 @@
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
+#include <string.h>
#define CLASS_DEFINE
#include "filters.h.x"
Index: src/log.c
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/log.c,v
retrieving revision 1.28
diff -u -r1.28 log.c
--- src/log.c 18 Oct 2002 12:31:08 -0000 1.28
+++ src/log.c 6 Jan 2003 12:42:54 -0000
@@ -41,7 +41,7 @@
static char aix_fwd_string[] = "Message forwarded from ";
static char repeat_msg_string[] = "last message repeated";
-static void parse_log_msg(struct log_info *lm, UINT32 length, UINT8 *data, UINT8 *prefix)
+static void parse_log_msg(struct log_info *lm, UINT32 length, UINT8 *data, UINT8 *prefix, regex_t *hostname_re)
{
unsigned char *src;
unsigned int left, pri, oldleft;
@@ -153,12 +153,15 @@
else {
/* If we haven't already found the original hostname,
look for it now. */
+ char hostname_buf[256];
+ int dst;
oldsrc = src;
oldleft = left;
+ dst = 0;
while (left && *src != ' ' && *src != ':'
- && *src != '[') {
+ && *src != '[' && dst < sizeof(hostname_buf) - 1) {
if (lm->flags & LF_CHECK_HOSTNAME &&
!((*src >= 'A' && *src <= 'Z') ||
(*src >= 'a' && *src <= 'z') ||
@@ -168,11 +171,13 @@
*src == '@' || *src == '/')) {
break;
}
+ hostname_buf[dst++] = *src;
src++;
left--;
}
-
- if (left && *src == ' ') {
+ hostname_buf[dst] = 0;
+ if (left && *src == ' ' &&
+ (!hostname_re || regexec(hostname_re, hostname_buf, 0, NULL, 0))) {
/* This was a hostname. It came from a
syslog-ng, since syslogd doesn't send
hostnames. It's even better then the one
@@ -263,13 +268,13 @@
}
}
-struct log_info *make_log_info(UINT32 length, UINT8 *msg, UINT8 *prefix, UINT32 flags)
+struct log_info *make_log_info(UINT32 length, UINT8 *msg, UINT8 *prefix, UINT32 flags, regex_t *hostname_re)
{
struct log_info *self;
NEW_SPACE(self);
self->flags = flags & LF_USER_FLAGS;
- parse_log_msg(self, length, msg, prefix);
+ parse_log_msg(self, length, msg, prefix, hostname_re);
self->use_cnt = 1;
self->recvd = time(NULL);
return self;
Index: src/log.h
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/log.h,v
retrieving revision 1.18
diff -u -r1.18 log.h
--- src/log.h 21 Aug 2002 14:03:50 -0000 1.18
+++ src/log.h 6 Jan 2003 12:42:54 -0000
@@ -30,6 +30,7 @@
#include "io.h"
#include <sys/time.h>
+#include <regex.h>
struct syslog_config;
struct persistent_config;
@@ -89,7 +90,7 @@
struct log_info *log_info_use(struct log_info *msg);
void log_info_free(struct log_info *msg);
-struct log_info *make_log_info(UINT32 length, UINT8 *data, UINT8 *prefix, UINT32 flags);
+struct log_info *make_log_info(UINT32 length, UINT8 *data, UINT8 *prefix, UINT32 flags, regex_t *badhostname_re);
struct log_info *make_internal_message(UINT32 pri, UINT32 length, UINT8 *data);
struct log_info *make_mark_message(void);
Index: src/sources.c
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/sources.c,v
retrieving revision 1.36
diff -u -r1.36 sources.c
--- src/sources.c 28 Oct 2002 08:33:30 -0000 1.36
+++ src/sources.c 6 Jan 2003 12:42:54 -0000
@@ -42,6 +42,7 @@
#include "sources.c.x"
#include "nscache.h"
+
/* CLASS:
(class
(name log_reader)
@@ -54,6 +55,7 @@
(max_log_line simple UINT32)
(pad_size simple UINT32)
(msg_flags simple UINT32)
+ (bad_hostname special-struct regex_t #f regfree)
(next object log_handler)))
*/
@@ -65,7 +67,7 @@
{
struct log_info *logmsg;
- logmsg = make_log_info(length, data, self->prefix, self->msg_flags);
+ logmsg = make_log_info(length, data, self->prefix, self->msg_flags, &self->bad_hostname);
if (addrlen) {
logmsg->saddr = sockaddr2address_info(addrlen, addr);
}
@@ -155,6 +157,7 @@
UINT32 max_log_line,
UINT32 pad_size,
UINT32 msg_flags,
+ UINT8 *hostname_re,
struct log_handler *next)
{
NEW(log_reader, self);
@@ -167,7 +170,10 @@
self->pad_size = pad_size;
self->msg_flags = msg_flags;
self->buffer = ol_space_alloc(self->max_log_line);
-
+ if (hostname_re == NULL)
+ regcomp(&self->bad_hostname, "^$", REG_NOSUB | REG_EXTENDED);
+ else
+ regcomp(&self->bad_hostname, hostname_re, REG_NOSUB | REG_EXTENDED);
return &self->super;
}
Index: src/sources.h
===================================================================
RCS file: /var/cvs/syslog-ng/syslog-ng/src/sources.h,v
retrieving revision 1.16
diff -u -r1.16 sources.h
--- src/sources.h 21 Aug 2002 14:03:50 -0000 1.16
+++ src/sources.h 6 Jan 2003 12:42:54 -0000
@@ -66,6 +66,7 @@
UINT32 max_log_line,
UINT32 pad_size,
UINT32 msg_flags,
+ UINT8 *bad_hostname,
struct log_handler *next);
struct log_source_group *make_source_group(const char *name, struct log_source_driver *drvs);
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1