[syslog-ng] lazy logger++

Alexander Clouter ac56 at soas.ac.uk
Fri Oct 20 18:19:53 CEST 2006 

Hi,

Time to reply to my own email....

Alexander Clouter <ac56 at soas.ac.uk> [20061019 10:25:38 +0100]:
>
> [snipped]
> 
> What I am planning on doing is having something like the following in my 
> syslog-ng.conf file which is fantastic as to add logging groups I just add 
> extra udp() lines to s_multicastGeneric and nothing else is needed.  At the 
> moment I would need separate source/destination/log entries per multicast 
> group address, which is upsetting and results in a hideous configuration 
> file.
> 
> ====================
> source s_multicastGeneric {
>         ## squid
>         # access
>         udp(ip(239.194.251.0) port(514));
>         # cache
>         udp(ip(239.194.251.32) port(514));
> };
> 
> destination df_multicastGeneric {
>         file("/var/log/syslog-ng/mulitcastGeneric/$DESTIP/$R_YEAR$R_MONTH$R_DAY.log");
> };
> 
> log {
>        source(s_multicastGeneric);
>        destination(df_multicastGeneric);
>        flags(final);
> };
> ====================
> 
> [snipped]
>
> As I said, I'm working on a patch at my end and will post it here once done, 
> but its unlikely to be pretty... :)
> 
well I said it was going to be nasty, the patch has been attached for peer 
review. It really does things in probably a manner that is going to 
make Balazs break down into tears.

The patch enables you to do the above so that you can have a group of 
machines all logging to the same multicast address and all their messages 
appear in the same logfile.  To add new *groups* of machines you simply add 
the single extra multicast udp() line to s_multicastGeneric you want to 
listen out for.  This is as opposed to maintaining a collection of source 
address IP's to filter under which can become un-managable if your groups 
become large in the number of hosts they contain.

The only other way I thought I could implement the patch, that I could think 
of, was to make my admendments in log_source_group_queue() however[1] I 
thought it would be more efficient to put it in the macros.c file so that the 
conversion of the binary address into something human readable would only 
occur if $DESTIP[2] is evaluated.

Anyway, it "Works for Me(tm)" and something like this in syslog-ng would be 
very helpful.  Obviously we are in the release candidate stage so I don't 
expect it for version 2.0 :)

I look forward to the feedback, flames, onslaught...

Cheers

Alex

[1] also I could not find out how to get to the original socket that had been
	read from easily
[2] I chose not to bother with $HOST_TO (look up the PTR record for the 
	destination multicast group) as I though it would be best to get this 
	looked at first and I can live without $HOST_TO 'support'
-------------- next part --------------
diff -r -d -u ../syslog-ng.orig/syslog-ng-2.0rc3/src/logmsg.c syslog-ng-2.0rc3/src/logmsg.c
--- ../syslog-ng.orig/syslog-ng-2.0rc3/src/logmsg.c	2006-10-20 14:32:13.272552000 +0100
+++ syslog-ng-2.0rc3/src/logmsg.c	2006-10-20 16:23:54.822552000 +0100
@@ -525,6 +525,7 @@
   self->date = g_string_sized_new(16);
   self->host = g_string_sized_new(32);
   self->host_from = g_string_sized_new(32);
+  self->sn.sa_family = AF_UNSPEC;
   self->program = g_string_sized_new(32);
   self->msg = g_string_sized_new(32);
   self->saddr = g_sockaddr_ref(saddr);
diff -r -d -u ../syslog-ng.orig/syslog-ng-2.0rc3/src/logmsg.h syslog-ng-2.0rc3/src/logmsg.h
--- ../syslog-ng.orig/syslog-ng-2.0rc3/src/logmsg.h	2006-10-20 14:32:13.322552000 +0100
+++ syslog-ng-2.0rc3/src/logmsg.h	2006-10-20 16:09:30.682552000 +0100
@@ -90,6 +90,7 @@
   LogStamp stamp;
   LogStamp recvd;
   GString *date, *host, *host_from, *program, *msg;
+  struct sockaddr sn;
   gchar *re_matches[RE_MAX_MATCHES];
 } LogMessage;
 
diff -r -d -u ../syslog-ng.orig/syslog-ng-2.0rc3/src/logreader.c syslog-ng-2.0rc3/src/logreader.c
--- ../syslog-ng.orig/syslog-ng-2.0rc3/src/logreader.c	2006-10-20 14:32:13.352552000 +0100
+++ syslog-ng-2.0rc3/src/logreader.c	2006-10-20 16:33:13.642552000 +0100
@@ -34,6 +34,10 @@
 #include <time.h>
 #include <errno.h>
 
+#if ENABLE_IPV6
+# include <arpa/inet.h>
+#endif
+
 static gboolean log_reader_fetch_log(LogReader *self, FDRead *fd);
 
 typedef struct _LogReaderWatch
@@ -177,6 +181,11 @@
       
   m = log_msg_new(line, length, saddr, parse_flags, self->options->bad_hostname);
   
+  if ((self->fd->flags & FR_RECV) != 0) {
+    socklen_t snlen = sizeof(m->sn);
+    getsockname(self->fd->fd, &m->sn, &snlen);
+  }
+  
   if (self->options->prefix)
     g_string_prepend(m->msg, self->options->prefix);
       
diff -r -d -u ../syslog-ng.orig/syslog-ng-2.0rc3/src/macros.c syslog-ng-2.0rc3/src/macros.c
--- ../syslog-ng.orig/syslog-ng-2.0rc3/src/macros.c	2006-10-20 14:32:13.262552000 +0100
+++ syslog-ng-2.0rc3/src/macros.c	2006-10-20 16:53:16.312552000 +0100
@@ -32,6 +32,10 @@
 #include <time.h>
 #include <string.h>
 
+#if ENABLE_IPV6
+# include <arpa/inet.h>
+#endif
+
 struct macro_def
 {
   char *name;
@@ -105,7 +109,8 @@
         { "MSG", M_MESSAGE },
         { "MSGONLY", M_MSGONLY },
         { "MESSAGE", M_MESSAGE },
-        { "SOURCEIP", M_SOURCE_IP }
+        { "SOURCEIP", M_SOURCE_IP },
+        { "DESTIP", M_DEST_IP }
 };
 
 GHashTable *macro_hash;
@@ -428,9 +433,20 @@
         
         if (msg->saddr && g_sockaddr_inet_check(msg->saddr)) 
           {
-            gchar buf[16];
+            gchar buf[64]; /* even 40 bytes should be enough for IPv6 */
             
-            g_inet_ntoa(buf, sizeof(buf), ((struct sockaddr_in *) &msg->saddr->sa)->sin_addr);
+	    if ( msg->saddr->sa.sa_family == AF_INET )
+	      {
+                g_inet_ntoa(buf, sizeof(buf), ((struct sockaddr_in *) &msg->saddr->sa)->sin_addr);
+	      }
+#if ENABLE_IPV6
+	    else
+	      {
+		/* replace with g_sockaddr_inet6_format() to lose #include <arpa/inet.h> */
+		inet_ntop(AF_INET6, &((struct sockaddr_in6 *) &msg->sn)->sin6_addr, buf, sizeof(buf));
+	      }
+#endif
+
             ip = buf;
           }
         else 
@@ -440,6 +456,35 @@
         result_append(result, ip, strlen(ip), !!(flags & MF_ESCAPE_RESULT));
         break;
       }
+    case M_DEST_IP:
+      {
+        gchar *ip;
+
+	if (msg->sn.sa_family != AF_UNSPEC)
+	  {
+	    gchar buf[64]; /* even 40 bytes should be enough for IPv6 */
+            
+	    if ( msg->sn.sa_family == AF_INET )
+	      {
+                g_inet_ntoa(buf, sizeof(buf), ((struct sockaddr_in *) &msg->sn)->sin_addr);
+              }
+#if ENABLE_IPV6
+	    else
+	      {
+		/* replace with g_sockaddr_inet6_format() to lose #include <arpa/inet.h> */
+		inet_ntop(AF_INET6, &((struct sockaddr_in6 *) &msg->sn)->sin6_addr, buf, sizeof(buf));
+	      }
+#endif
+            
+	    ip = buf;
+	  }
+	else 
+	  {
+	    ip = "127.0.0.1";
+	  }
+	result_append(result, ip, strlen(ip), !!(flags & MF_ESCAPE_RESULT));
+	break;
+      }
     default:
       msg_fatal("Internal error, unknown macro referenced;", NULL);
       return FALSE;
diff -r -d -u ../syslog-ng.orig/syslog-ng-2.0rc3/src/macros.h syslog-ng-2.0rc3/src/macros.h
--- ../syslog-ng.orig/syslog-ng-2.0rc3/src/macros.h	2006-10-20 14:32:13.262552000 +0100
+++ syslog-ng-2.0rc3/src/macros.h	2006-10-20 13:33:24.192552000 +0100
@@ -101,6 +101,7 @@
   M_MESSAGE,
   M_MSGONLY,
   M_SOURCE_IP,
+  M_DEST_IP,
   M_MAX,
 
   M_MATCH_REF_OFS=256

More information about the syslog-ng mailing list