diff options
author | Rainer Gerhards <rgerhards@adiscon.com> | 2008-03-06 13:55:04 +0000 |
---|---|---|
committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-03-06 13:55:04 +0000 |
commit | dfb2142974bb93c357be88d866fb17ddd39c65f4 (patch) | |
tree | f03e2c689355ce47a0d688b49573211647ea9e33 | |
parent | 8d36b9159f38815660b8c3b4a8e4ce48d0091bdc (diff) | |
download | rsyslog-dfb2142974bb93c357be88d866fb17ddd39c65f4.tar.gz rsyslog-dfb2142974bb93c357be88d866fb17ddd39c65f4.tar.xz rsyslog-dfb2142974bb93c357be88d866fb17ddd39c65f4.zip |
added capability to ignore client-provided timestamp on unix sockets and
made this mode the default; this was needed, as some programs (e.g.
sshd) log with inconsistent timezone information, what messes up the
local logs (which by default don't even contain time zone information).
This seems to be consistent with what sysklogd did for the past four
years. Alternate behaviour may be desirable if gateway-like processes
send messages via the local log slot - in this case, it can be enabled
via the $InputUnixListenSocketIgnoreMsgTimestamp and
$SystemLogSocketIgnoreMsgTimestamp config directives
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | doc/imuxsock.html | 47 | ||||
-rw-r--r-- | doc/rsyslog_conf.html | 19 | ||||
-rw-r--r-- | plugins/imklog/imklog.c | 2 | ||||
-rw-r--r-- | plugins/imudp/imudp.c | 3 | ||||
-rw-r--r-- | plugins/imuxsock/imuxsock.c | 33 | ||||
-rw-r--r-- | syslogd.c | 12 | ||||
-rw-r--r-- | syslogd.h | 3 | ||||
-rw-r--r-- | tcps_sess.c | 9 |
10 files changed, 108 insertions, 31 deletions
@@ -12,6 +12,15 @@ Version 3.12.1 (rgerhards), 2008-03-06 - added support for the MonitorWare syslog MIB to omsnmp - internal code improvements (more code converted into classes) - internal code reworking of the imtcp/imgssapi module +- added capability to ignore client-provided timestamp on unix sockets and + made this mode the default; this was needed, as some programs (e.g. sshd) + log with inconsistent timezone information, what messes up the local + logs (which by default don't even contain time zone information). This + seems to be consistent with what sysklogd did for the past four years. + Alternate behaviour may be desirable if gateway-like processes send + messages via the local log slot - in this case, it can be enabled + via the $InputUnixListenSocketIgnoreMsgTimestamp and + $SystemLogSocketIgnoreMsgTimestamp config directives --------------------------------------------------------------------------- Version 3.12.0 (rgerhards), 2008-02-28 - added full expression support for filters; filters can now contain diff --git a/configure.ac b/configure.ac index 4bf03aff..a67a4815 100644 --- a/configure.ac +++ b/configure.ac @@ -80,7 +80,7 @@ AC_FUNC_STAT AC_FUNC_STRERROR_R AC_FUNC_VPRINTF AC_FUNC_WAIT3 -AC_CHECK_FUNCS([flock alarm clock_gettime gethostbyname gethostname gettimeofday localtime_r memset mkdir regcomp select setid socket strcasecmp strchr strdup strerror strndup strnlen strrchr strstr strtol strtoul uname ttyname_r]) +AC_CHECK_FUNCS([flock basename alarm clock_gettime gethostbyname gethostname gettimeofday localtime_r memset mkdir regcomp select setid socket strcasecmp strchr strdup strerror strndup strnlen strrchr strstr strtol strtoul uname ttyname_r]) # Large file support diff --git a/doc/imuxsock.html b/doc/imuxsock.html new file mode 100644 index 00000000..ee367dbc --- /dev/null +++ b/doc/imuxsock.html @@ -0,0 +1,47 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html><head> +<meta http-equiv="Content-Language" content="en"><title>Unix Socket Input</title> + +</head> +<body> +<h1>Unix Socket Input</h1> +<p><b>Module Name: imuxsock</b></p> +<p><b>Author: </b>Rainer Gerhards +<rgerhards@adiscon.com></p> +<p><b>Description</b>:</p> +<p>Provides the ability to accept syslog messages via local Unix +sockets. Most importantly, this is the mechanism by which the syslog(3) +call delivers syslog messages to rsyslogd. So you need to have this +module loaded to read the system log socket and be able to process log +messages from applications running on the local system.</p><p>Application-provided +timestamps are ignored by default. This is needed, as some programs +(e.g. sshd) log with inconsistent timezone information, what +messes up the local logs (which by default don't even contain time zone +information). This seems to be consistent with what sysklogd did for +the past four years. Alternate behaviour may be desirable if +gateway-like processes send messages via the local log slot - in this +case, it can be enabled via the +$InputUnixListenSocketIgnoreMsgTimestamp and $SystemLogSocketIgnoreMsgTimestamp config directives</p><p><b>Configuration Directives</b>:</p> +<ul> +<li><span style="font-weight: bold;">$InputUnixListenSocketIgnoreMsgTimestamp</span> [<span style="font-weight: bold;">on</span>/off]<strong></strong><br>Ignore timestamps included in the message. Applies to the next socket being added.</li><li><span style="font-weight: bold;">$SystemLogSocketIgnoreMsgTimestamp</span> [<span style="font-weight: bold;">on</span>/off]<br>Ignore timestamps included in the messages, applies to messages received via the system log socket.</li><li><span style="font-weight: bold;">$OmitLocalLogging</span> (imuxsock) [on/<b>off</b>] -- +former -o option</li><li><span style="font-weight: bold;">$SystemLogSocketName</span> <name-of-socket> -- +former -p option</li><li><span style="font-weight: bold;">$AddUnixListenSocket</span> <name-of-socket> adds +additional unix socket, default none -- former -a option</li></ul> +<b>Caveats/Known Bugs:</b><br> +<br> +This documentation is sparse and incomplete. +<p><b>Sample:</b></p> +<p>The following sample is the minimum setup required to accept syslog messages from applications running on the local system.<br> +</p> +<textarea rows="15" cols="60">$ModLoad imuxsock # needs to be done just once +</textarea> +<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] +[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> +<p><font size="2">This documentation is part of the +<a href="http://www.rsyslog.com/">rsyslog</a> +project.<br> +Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer +Gerhards</a> and +<a href="http://www.adiscon.com/">Adiscon</a>. +Released under the GNU GPL version 3 or higher.</font></p> +</body></html>
\ No newline at end of file diff --git a/doc/rsyslog_conf.html b/doc/rsyslog_conf.html index 9e67a8c1..11f80a2d 100644 --- a/doc/rsyslog_conf.html +++ b/doc/rsyslog_conf.html @@ -1,7 +1,5 @@ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html><head><title>rsyslog.conf file</title> - -</head> +<html><head><title>rsyslog.conf file</title></head> <body> <h1>rsyslog.conf configuration file</h1> <p><b>This document is currently being enhanced. Please @@ -43,7 +41,7 @@ plugin for plain tcp syslog</li> <li><a href="imgssapi.html">imgssapi</a> - input plugin for plain tcp and GSS-enable syslog</li> <li>immark - support for mark messages</li> -<li>imklog - kernel logging</li> +<li>imklog - kernel logging</li><li><a href="imuxsock.html">imuxsock</a> - unix sockets, including the system log socket</li> </ul> <p>Please note that each module provides configuration directives, which are NOT necessarily being listed below. Also @@ -100,10 +98,7 @@ default 60000 (1 minute)]</li> worker threads, default 1, recommended 1</li> <li>$ActionQueueWorkerThreadMinumumMessages <number>, default 100</li> -<li><a href="rsconf1_actionresumeinterval.html">$ActionResumeInterval</a></li> -<li>$AddUnixListenSocket <name-of-socket> adds -additional unix socket, default none -- former -a option</li> -<li>$ActionResumeRetryCount <number> [default 0, +<li><a href="rsconf1_actionresumeinterval.html">$ActionResumeInterval</a></li><li>$ActionResumeRetryCount <number> [default 0, -1 means eternal]</li> <li><a href="rsconf1_allowedsender.html">$AllowedSender</a></li> <li><a href="rsconf1_controlcharacterescapeprefix.html">$ControlCharacterEscapePrefix</a></li> @@ -171,15 +166,11 @@ worker threads, default 1, recommended 1</li> (immark)</li> <li><a href="rsconf1_moddir.html">$ModDir</a></li> <li><a href="rsconf1_modload.html">$ModLoad</a></li> -<li>$OmitLocalLogging (imuxsock) [on/<b>off</b>] -- -former -o option</li> + <li><a href="rsconf1_repeatedmsgreduction.html">$RepeatedMsgReduction</a></li> <li><a href="rsconf1_resetconfigvariables.html">$ResetConfigVariables</a></li> <li>$WorkDirectory <name> (directory for spool -and other work files)</li> -<li>$SystemLogSocketName <name-of-socket> -- -former -p option</li> -<li>$UDPServerAddress <IP> (imudp) -- local IP +and other work files)</li><li>$UDPServerAddress <IP> (imudp) -- local IP address (or name) the UDP listens should bind to</li> <li>$UDPServerRun <port> (imudp) -- former -r<port> option, default 514, start UDP server on this diff --git a/plugins/imklog/imklog.c b/plugins/imklog/imklog.c index 238328ea..46c78e70 100644 --- a/plugins/imklog/imklog.c +++ b/plugins/imklog/imklog.c @@ -127,7 +127,7 @@ static rsRetVal writeSyslogV(int iPRI, const char *szFmt, va_list va) /* here we must create our message object and supply it to the message queue */ - CHKiRet(parseAndSubmitMessage(LocalHostName, msgBuf, strlen(msgBuf), MSG_DONT_PARSE_HOSTNAME)); + CHKiRet(parseAndSubmitMessage(LocalHostName, msgBuf, strlen(msgBuf), MSG_DONT_PARSE_HOSTNAME, NOFLAG)); finalize_it: RETiRet; diff --git a/plugins/imudp/imudp.c b/plugins/imudp/imudp.c index 70a7b3f7..be9fb6cc 100644 --- a/plugins/imudp/imudp.c +++ b/plugins/imudp/imudp.c @@ -189,7 +189,8 @@ CODESTARTrunInput */ if(isAllowedSender(pAllowedSenders_UDP, (struct sockaddr *)&frominet, (char*)fromHostFQDN)) { - parseAndSubmitMessage((char*)fromHost, (char*) pRcvBuf, l, MSG_PARSE_HOSTNAME); + parseAndSubmitMessage((char*)fromHost, (char*) pRcvBuf, l, + MSG_PARSE_HOSTNAME, NOFLAG); } else { dbgprintf("%s is not an allowed sender\n", (char*)fromHostFQDN); if(option_DisallowWarning) { diff --git a/plugins/imuxsock/imuxsock.c b/plugins/imuxsock/imuxsock.c index 68978231..1d26de4b 100644 --- a/plugins/imuxsock/imuxsock.c +++ b/plugins/imuxsock/imuxsock.c @@ -68,6 +68,7 @@ static int startIndexUxLocalSockets; /* process funix from that index on (used t * read-only after startup */ static int funixParseHost[MAXFUNIX] = { 0, }; /* should parser parse host name? read-only after startup */ +static int funixFlags[MAXFUNIX] = { ADDDATE, }; /* should parser parse host name? read-only after startup */ static uchar *funixn[MAXFUNIX] = { (uchar*) _PATH_LOG }; /* read-only after startup */ static int funix[MAXFUNIX] = { -1, }; /* read-only after startup */ static int nfunix = 1; /* number of Unix sockets open / read-only after startup */ @@ -75,6 +76,20 @@ static int nfunix = 1; /* number of Unix sockets open / read-only after startup /* config settings */ static int bOmitLocalLogging = 0; static uchar *pLogSockName = NULL; +static int bIgnoreTimestamp = 1; /* ignore timestamps present in the incoming message? */ + + +/* set the timestamp ignore / not ignore option for the system + * log socket. This must be done separtely, as it is not added via a command + * but present by default. -- rgerhards, 2008-03-06 + */ +static rsRetVal setSystemLogTimestampIgnore(void __attribute__((unused)) *pVal, int iNewVal) +{ + DEFiRet; +RUNLOG_VAR("%d", iNewVal); + funixFlags[0] = iNewVal ? ADDDATE : NOFLAG; + RETiRet; +} /* add an additional listen socket. Socket names are added @@ -95,6 +110,7 @@ static rsRetVal addLstnSocketName(void __attribute__((unused)) *pVal, uchar *pNe else { funixParseHost[nfunix] = 0; } + funixFlags[nfunix] = bIgnoreTimestamp ? ADDDATE : NOFLAG; funixn[nfunix++] = pNewVal; } else { @@ -157,7 +173,7 @@ static int create_unix_socket(const char *path) * to receive and submits the message received for processing. * rgerhards, 2007-12-20 */ -static rsRetVal readSocket(int fd, int bParseHost) +static rsRetVal readSocket(int fd, int bParseHost, int flags) { DEFiRet; int iRcvd; @@ -166,7 +182,7 @@ static rsRetVal readSocket(int fd, int bParseHost) iRcvd = recv(fd, line, MAXLINE - 1, 0); dbgprintf("Message from UNIX socket: #%d\n", fd); if (iRcvd > 0) { - parseAndSubmitMessage(LocalHostName, line, iRcvd, bParseHost); + parseAndSubmitMessage(LocalHostName, line, iRcvd, bParseHost, flags); } else if (iRcvd < 0 && errno != EINTR) { char errStr[1024]; rs_strerror_r(errno, errStr, sizeof(errStr)); @@ -221,7 +237,7 @@ CODESTARTrunInput for (i = 0; i < nfunix && nfds > 0; i++) { if ((fd = funix[i]) != -1 && FD_ISSET(fd, &readfds)) { - readSocket(fd, funixParseHost[i]); + readSocket(fd, funixParseHost[i], funixFlags[i]); --nfds; /* indicate we have processed one */ } } @@ -292,6 +308,7 @@ static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __a discardFunixn(); nfunix = 1; + bIgnoreTimestamp = 1; return RS_RET_OK; } @@ -313,12 +330,22 @@ CODEmodInit_QueryRegCFSLineHdlr /* register config file handlers */ CHKiRet(omsdRegCFSLineHdlr((uchar *)"omitlocallogging", 0, eCmdHdlrBinary, NULL, &bOmitLocalLogging, STD_LOADABLE_MODULE_ID)); + CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputunixlistensocketignoremsgtimestamp", 0, eCmdHdlrBinary, + NULL, &bIgnoreTimestamp, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"systemlogsocketname", 0, eCmdHdlrGetWord, NULL, &pLogSockName, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"addunixlistensocket", 0, eCmdHdlrGetWord, addLstnSocketName, NULL, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler, resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID)); + /* the following one is a (dirty) trick: the system log socket is not added via + * an "addUnixListenSocket" config format. As such, the timestamp can not be modified + * via $InputUnixListenSocketIgnoreMsgTimestamp". So we need to add a special directive + * for that. We should revisit all of that once we have the new config format... + * rgerhards, 2008-03-06 + */ + CHKiRet(omsdRegCFSLineHdlr((uchar *)"systemlogsocketignoremsgtimestamp", 0, eCmdHdlrBinary, + setSystemLogTimestampIgnore, NULL, STD_LOADABLE_MODULE_ID)); ENDmodInit /* * vi:set ai: @@ -628,8 +628,10 @@ void untty(void) * HOSTNAME or not. rgerhards 2004-11-16. * changed parameter iSource to bParseHost. For details, see comment in * printchopped(). rgerhards 2005-10-06 + * rgerhards: 2008-03-06: added "flags" to allow an input module to specify + * flags, most importantly to request ignoring the messages' timestamp. */ -rsRetVal printline(char *hname, char *msg, int bParseHost) +rsRetVal printline(char *hname, char *msg, int bParseHost, int flags) { DEFiRet; register char *p; @@ -678,7 +680,7 @@ rsRetVal printline(char *hname, char *msg, int bParseHost) if(MsgSetUxTradMsg(pMsg, p) != 0) ABORT_FINALIZE(RS_RET_ERR); - logmsg(pMsg, SYNC_FILE); + logmsg(pMsg, flags | SYNC_FILE); finalize_it: RETiRet; @@ -716,7 +718,7 @@ finalize_it: * improve in the future. <-- TODO! */ rsRetVal -parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost) +parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost, int flags) { DEFiRet; register int iMsg; @@ -815,7 +817,7 @@ parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost) */ if(iMsg == MAXLINE) { *(pMsg + iMsg) = '\0'; /* space *is* reserved for this! */ - printline(hname, tmpline, bParseHost); + printline(hname, tmpline, bParseHost, flags); } else { /* This case in theory never can happen. If it happens, we have * a logic error. I am checking for it, because if I would not, @@ -867,7 +869,7 @@ parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost) *(pMsg + iMsg) = '\0'; /* space *is* reserved for this! */ /* typically, we should end up here! */ - printline(hname, tmpline, bParseHost); + printline(hname, tmpline, bParseHost, flags); finalize_it: RETiRet; @@ -62,6 +62,7 @@ /* Flags to logmsg(). */ +#define NOFLAG 0x000 /* no flag is set (to be used when a flag must be specified and none is required) */ #define INTERNAL_MSG 0x001 /* msg generated by logmsgInternal() --> special handling */ #define SYNC_FILE 0x002 /* do fsync on file after printing */ #define ADDDATE 0x004 /* add a date to the message */ @@ -117,7 +118,7 @@ typedef struct filed selector_t; /* new type name */ #define MSG_PARSE_HOSTNAME 1 #define MSG_DONT_PARSE_HOSTNAME 0 -rsRetVal parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost); +rsRetVal parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost, int flags); int isAllowedSender(struct AllowedSenders *pAllowRoot, struct sockaddr *pFrom, const char *pszFromHost); void untty(void); rsRetVal selectorConstruct(selector_t **ppThis); diff --git a/tcps_sess.c b/tcps_sess.c index f8f9f5bd..c86bcf8d 100644 --- a/tcps_sess.c +++ b/tcps_sess.c @@ -207,8 +207,7 @@ PrepareClose(tcps_sess_t *pThis) * this case. */ dbgprintf("Extra data at end of stream in legacy syslog/tcp message - processing\n"); - parseAndSubmitMessage(pThis->fromHost, pThis->msg, - pThis->iMsg, MSG_PARSE_HOSTNAME); + parseAndSubmitMessage(pThis->fromHost, pThis->msg, pThis->iMsg, MSG_PARSE_HOSTNAME, NOFLAG); pThis->bAtStrtOfFram = 1; } @@ -354,7 +353,7 @@ DataRcvd(tcps_sess_t *pThis, char *pData, size_t iLen) /* emergency, we now need to flush, no matter if * we are at end of message or not... */ - parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME); + parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME, NOFLAG); iMsg = 0; /* we might think if it is better to ignore the rest of the * message than to treat it as a new one. Maybe this is a good @@ -365,7 +364,7 @@ DataRcvd(tcps_sess_t *pThis, char *pData, size_t iLen) if(*pData == '\n' && pThis->eFraming == TCP_FRAMING_OCTET_STUFFING) { /* record delemiter? */ - parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME); + parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME, NOFLAG); iMsg = 0; pThis->bAtStrtOfFram = 1; ++pData; @@ -379,7 +378,7 @@ DataRcvd(tcps_sess_t *pThis, char *pData, size_t iLen) pThis->iOctetsRemain--; if(pThis->iOctetsRemain < 1) { /* we have end of frame! */ - parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME); + parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME, NOFLAG); iMsg = 0; pThis->bAtStrtOfFram = 1; } |