[syslog-ng] Minimum Syslog Message Length

Balazs Scheidler bazsi at balabit.hu
Thu Dec 22 15:15:45 CET 2011 

On Wed, 2011-12-21 at 14:47 +0100, Gergely Nagy wrote:
> Balazs Scheidler <bazsi at balabit.hu> writes:
> 
> > On Thu, 2011-12-15 at 08:53 -0500, vincent at ragosta.net wrote:
> >> Is it possible to specify a restriction on the minimum length of a
> >> syslog message?  We often receive small, malformed messages that we do
> >> not want to transmit.
> >
> > Right now it isn't. Maybe if you could match against them with a regexp,
> > though that could be expensive. IIRC PCRE has repetition count limits,
> > so you could do something like:
> >
> > To match for maximum 16 characters.
> >
> > filter f_malformed { match('.{,16}'); };
> >
> > I'm not sure about the syntax though.
> 
> Another option is to write a template function that returns the string
> length, and combine that with $(if).
> 
> So we'd end up with something like this:
> 
> f_malformed {
>  match ('-', value ("$(if ($(length "${MSG}") <= 16) "-" "+")"));
> };
> 
> The if would return - if the message is shorter or equal to 16 chars, +
> otherwise, and the match would match only those that are -.
> 
> This might be faster than the regexp trick, but requires writing the
> length template function. Doing so would be very easy though, about 10
> lines of code or so.
> 

I think it became about 15 instead, but some of that is whitespace:

$ git show
commit 3d05ee23122a707c74bd53f8bc33f535aa34b912
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Thu Dec 22 15:14:49 2011 +0100

    basic-funcs: implement $(length) function
    
    The idea behind the $(length) function is to make it possible to filter
    based on value length, such as:
    
    f_malformed {
     match ('-', value ("$(if ($(length "${MSG}") <= 16) "-" "+")"));
    };
    
    Reported-By: Gergely Nagy <algernon at balabit.hu>
    Signed-off-by: Balazs Scheidler <bazsi at balabit.hu>

diff --git a/modules/basicfuncs/basic-funcs.c b/modules/basicfuncs/basic-funcs.c
index 60ac178..472e781 100644
--- a/modules/basicfuncs/basic-funcs.c
+++ b/modules/basicfuncs/basic-funcs.c
@@ -46,6 +46,7 @@ static Plugin basicfuncs_plugins[] =
 
   /* str-funcs */
   TEMPLATE_FUNCTION_PLUGIN(tf_echo, "echo"),
+  TEMPLATE_FUNCTION_PLUGIN(tf_length, "length"),
   TEMPLATE_FUNCTION_PLUGIN(tf_substr, "substr"),
   TEMPLATE_FUNCTION_PLUGIN(tf_strip, "strip"),
   TEMPLATE_FUNCTION_PLUGIN(tf_sanitize, "sanitize"),
diff --git a/modules/basicfuncs/str-funcs.c b/modules/basicfuncs/str-funcs.c
index 2be5f3b..219b8e2 100644
--- a/modules/basicfuncs/str-funcs.c
+++ b/modules/basicfuncs/str-funcs.c
@@ -18,6 +18,21 @@ tf_echo(LogMessage *msg, gint argc, GString *argv[], GString *result)
 
 TEMPLATE_FUNCTION_SIMPLE(tf_echo);
 
+static void
+tf_length(LogMessage *msg, gint argc, GString *argv[], GString *result)
+{
+  gint i;
+
+  for (i = 0; i < argc; i++)
+    {
+      format_uint32_padded(result, 0, 0, 10, argv[i]->len);
+      if (i < argc - 1)
+        g_string_append_c(result, ' ');
+    }
+}
+
+TEMPLATE_FUNCTION_SIMPLE(tf_length);
+
 /*
  * $(substr $arg START [LEN])
  */
diff --git a/tests/unit/test_template.c b/tests/unit/test_template.c
index 6e394df..4c842a0 100644
--- a/tests/unit/test_template.c
+++ b/tests/unit/test_template.c
@@ -298,6 +298,10 @@ main(int argc G_GNUC_UNUSED, char *argv[] G_GNUC_UNUSED)
   testcase(msg, "$(echo '\"$(echo $(echo $HOST))\"' $PID)", "\"bzorp\" 23323");
   testcase(msg, "$(ipv4-to-int $SOURCEIP)", "168496141");
 
+  testcase(msg, "$(length $HOST $PID)", "5 5");
+  testcase(msg, "$(length $HOST)", "5");
+  testcase(msg, "$(length)", "");
+
   testcase(msg, "$(grep 'facility(local3)' $PID)", "23323,23323");
   testcase(msg, "$(grep 'facility(local3)' $PID $PROGRAM)", "23323,syslog-ng,23323,syslog-ng");
   testcase(msg, "$(grep 'facility(local4)' $PID)", "");


-- 
Bazsi

More information about the syslog-ng mailing list