[syslog-ng] Problems with rewrite set and template functions...
Johnson, Chris (HP TippingPoint Roseville)
chris.johnson3 at hp.com
Mon Jan 28 17:37:15 CET 2013
Oops, forgot the version… I'm running 3.3.3.
For now, I'm locked into using version 3.3.3.
In my implementation, I'm defining destinations once (local log file, remote syslog server, Email address, …) and use them for multiple services. Each service can have a different message format for each destination, and I want to avoid defining a new destination for each service/destination combination.
Upon further investigation, I think I can use the 'if' template function to pick which of my custom functions to use and avoid the rewrites.
The template functions that I can release are:
Using 'ipv4-to-int' as a template and added these to 'modules/convertfuncs/convert-funcs.c':
/*
* HP - add a 'to-lower-case' function
* change case to lower for a string
*/
static void
tf_to_lower_case(LogMessage *msg, gint argc, GString *argv[], GString *result)
{
gint i;
for (i = 0; i < argc; i++)
{
char *p;
p = argv[i]->str;
while (*p)
g_string_append_c(result, tolower(*p++));
if (i < argc -1)
g_string_append_c(result, ' ');
}
}
/*
* HP - add a 'to-upper-case' function
* change case to upper for a string
*/
static void
tf_to_upper_case(LogMessage *msg, gint argc, GString *argv[], GString *result)
{
gint i;
for (i = 0; i < argc; i++)
{
char *p;
p = argv[i]->str;
while (*p)
g_string_append_c(result, toupper(*p++));
if (i < argc -1)
g_string_append_c(result, ' ');
}
}
/*
* HP - add a 'tab-to-comma' function
* change tabs to commas ',' in a string
*/
static void
tf_tab_to_comma(LogMessage *msg, gint argc, GString *argv[], GString *result)
{
gint i;
for (i = 0; i < argc; i++)
{
char *p;
p = argv[i]->str;
while (*p)
g_string_append_c(result, (*p++ == '\t')?',':*(p-1));
if (i < argc -1)
g_string_append_c(result, ' ');
}
}
/*
* HP - add a 'tab_to_semicolon' function
* change tabs to semicolons ';' in a string
*/
static void
tf_tab_to_semicolon(LogMessage *msg, gint argc, GString *argv[], GString *result)
{
gint i;
for (i = 0; i < argc; i++)
{
char *p;
p = argv[i]->str;
while (*p)
g_string_append_c(result, (*p++ == '\t')?';':*(p-1));
if (i < argc -1)
g_string_append_c(result, ' ');
}
}
/*
* HP - add a 'tab-to-Bar' function
* change tabs to bars '|' in a string
*/
static void
tf_tab_to_bar(LogMessage *msg, gint argc, GString *argv[], GString *result)
{
gint i;
for (i = 0; i < argc; i++)
{
char *p;
p = argv[i]->str;
while (*p)
g_string_append_c(result, (*p++ == '\t')?'|':*(p-1));
if (i < argc -1)
g_string_append_c(result, ' ');
}
}
TEMPLATE_FUNCTION_SIMPLE(tf_ipv4_to_int);
TEMPLATE_FUNCTION_SIMPLE(tf_to_lower_case);
TEMPLATE_FUNCTION_SIMPLE(tf_to_upper_case);
TEMPLATE_FUNCTION_SIMPLE(tf_tab_to_comma);
TEMPLATE_FUNCTION_SIMPLE(tf_tab_to_semicolon);
TEMPLATE_FUNCTION_SIMPLE(tf_tab_to_bar);
static Plugin convert_func_plugins[] =
{
TEMPLATE_FUNCTION_PLUGIN(tf_ipv4_to_int, "ipv4-to-int"),
TEMPLATE_FUNCTION_PLUGIN(tf_to_lower_case, "to-lower-case"),
TEMPLATE_FUNCTION_PLUGIN(tf_to_upper_case, "to-upper-case"),
TEMPLATE_FUNCTION_PLUGIN(tf_tab_to_comma, "tab-to-comma"),
TEMPLATE_FUNCTION_PLUGIN(tf_tab_to_semicolon, "tab-to-semicolon"),
TEMPLATE_FUNCTION_PLUGIN(tf_tab_to_bar, "tab-to-bar"),
};
Chris
From: Balazs Scheidler [mailto:bazsi77 at gmail.com]
Sent: Friday, January 25, 2013 10:48 PM
To: Syslog-ng users' and developers' mailing list; Johnson, Chris (HP TippingPoint Roseville)
Subject: Re: [syslog-ng] Problems with rewrite set and template functions...
Hi,
I recall something related, but I need to check. In that case the clone method wasn't properly initializing all the fields of an object in case it is referenced multiple times.
Which version are you using?
I see you have implemented a number of interesting template functions, I'd like to integrate them to syslog-ng if you are permitted to contribute them.
Also, you might be able to get rid of rewrite rules and simply use the template option for file destinations, that'd get your config much simpler.
And another note, 3.4 offers junctions and channels that again can make it possible to enclose your rewrites into reusable blocks, and by the use of inline objects, would also simplify the configuration a lot.
Cheers,
----- Original message -----
> Hi all,
> I've come across a problem when using the rewrite set function with a
> template function. I've created a custom template function
> 'audit-TPTI-to-Email' and use it in a rewrite: rewrite r_audit_EMail {
> set("$(audit-TPTI-to-EMail ${MSG})", value("MSG"));
> };
>
> Then call it:
> filter f_audit_pgm{program("AUDIT-*" type("glob"));};
> log {
> source(s_local);
> filter(f_audit_pgm);
> log {
> destination(d_logID_02);
> };
> log {
> rewrite(r_audit_EMail);
> rewrite(r_quote_newlines);
> destination(d_logID_13);
> };
> flags(final);
> };
> Everything work fine.
> Then if I add another call to rewrite (i.e. add a second email
> destination): filter f_audit_pgm{program("AUDIT-*" type("glob"));};
> log {
> source(s_local);
> filter(f_audit_pgm);
> log {
> destination(d_logID_02);
> };
> log {
> rewrite(r_audit_EMail);
> rewrite(r_quote_newlines);
> destination(d_logID_13);
> };
> log {
> rewrite(r_audit_EMail);
> rewrite(r_quote_newlines);
> destination(d_logID_14);
> };
> flags(final);
> };
> Syslog-ng crashes with a segfault.
> I've narrowed in down to any template function (just to make sure *I*
> wasn't screwing something up in my custom function): rewrite r_echo {
> set("$(echo $PROGRAM)" value("PROGRAM")); }; destination d_test1{
> file("/var/log/test1.log"); }; destination d_test2{
> file("/var/log/test2.log"); };
>
> log {
> source(s_local);
> log {
> rewrite(r_echo);
> destination(d_test1);
> };
> log {
> rewrite(r_echo);
> destination(d_test2);
> };
> };
>
> The backtrace:
> Backtrace:
> /usr/local/lib/libsyslog-ng-3.3.3.so(plugin_find+0x39)[0x7f3eb76ff019]
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_template_compile+0x84f)[0x7f3eb7703baf]
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_rewrite_set_new+0x99)[0x7f3eb76f3349]
> /usr/local/lib/libsyslog-ng-3.3.3.so[0x7f3eb76f3371]
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0x35d)[0x7f3eb76dfecd]
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0xd2)[0x7f3eb76dfc42]
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init+0x56)[0x7f3eb76e0226]
> /usr/local/lib/libsyslog-ng-3.3.3.so(cfg_init+0xb0)[0x7f3eb76e1530]
> /usr/local/lib/libsyslog-ng-3.3.3.so(main_loop_init+0x11b)[0x7f3eb76f9abb]
> /usr/local/sbin/syslog-ng(main+0x11f)[0x40168f]
> /lib/libc.so.6(__libc_start_main+0xe6)[0x7f3eb6240126]
> /usr/local/sbin/syslog-ng[0x401379]
>
> I threw in some debug statements:
> LogRewrite *
> log_rewrite_set_new(const gchar *new_value)
> {
> fprintf(stderr, "%s('%s'):\n", __FUNCTION__, new_value);
>
> Plugin *
> plugin_find(GlobalConfig *cfg, gint plugin_type, const gchar
> *plugin_name) {
> fprintf(stderr, "%s(%p, %d, '%s'): '\n", __FUNCTION__, cfg,
> plugin_type, plugin_name);
>
> Which showed that the 'cfg' pointer is null when rewrite is called the
> second time: log_rewrite_set_new('$(echo $PROGRAM)'):
> plugin_find(0x60e210, 13, 'echo'): '
> plugin_find: plugin->name = 'sys-to-EMail'
> plugin_find: plugin->name = 'audit-TPTI-to-EMail'
> plugin_find: plugin->name = 'quar-TPTI-to-EMail'
> plugin_find: plugin->name = 'quar-TPTI-to-CEF'
> plugin_find: plugin->name = 'tab-to-bar'
> plugin_find: plugin->name = 'tab-to-semicolon'
> plugin_find: plugin->name = 'tab-to-comma'
> plugin_find: plugin->name = 'to-upper-case'
> plugin_find: plugin->name = 'to-lower-case'
> plugin_find: plugin->name = 'ipv4-to-int'
> plugin_find: plugin->name = 'log-session-seqnum'
> plugin_find: plugin->name = 'indent-multi-line'
> plugin_find: plugin->name = 'if'
> plugin_find: plugin->name = 'grep'
> plugin_find: plugin->name = 'echo'
> plugin_find(0x60e210, 2, 'file'): '
> [...]
> log_rewrite_set_new('$(echo $PROGRAM)'):
> plugin_find((nil), 13, 'echo'): '
> *** Segmentation fault
>
> Sooo, my questions are:
> Is this expected behavior?
> Has this been patched already?
> Is there another way I can call a custom function to reformat the
> message field on a destination-by-destination basis?
>
> Thanks,
> Chris
>
> ----------------------------------------
> Christopher Johnson
> chris.johnson3 at hp.com<mailto:chris.johnson3 at hp.com><mailto:chris.johnson3 at hp.com>
> HP Software - Security Product Group
> (916) 785-2817
> ----------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130128/a461314c/attachment-0001.htm
More information about the syslog-ng
mailing list