Merge branch 'v5-beta'

Conflicts: ChangeLog configure.ac doc/manual.html
author: Rainer Gerhards <rgerhards@adiscon.com> 2011-02-11 11:48:29 +0100
committer: Rainer Gerhards <rgerhards@adiscon.com> 2011-02-11 11:48:29 +0100
commit: b941f68aaeec4bd458328e09121b623ac63f6dd6 (patch)
tree: 3bd6490dbcb77ad72bdb186a02f3bf297607964a
parent: 819ac126e2cc85916bee32575c85b3c8d7317325 (diff)
parent: 2d67035d1b851bdfb430e6980ca217c1807b3a9c (diff)
download: rsyslog-b941f68aaeec4bd458328e09121b623ac63f6dd6.tar.gz
rsyslog-b941f68aaeec4bd458328e09121b623ac63f6dd6.tar.xz
rsyslog-b941f68aaeec4bd458328e09121b623ac63f6dd6.zip
12 files changed, 407 insertions, 69 deletions
diff --git a/ChangeLog b/ChangeLog
index 4e62100e..2d86a077 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -76,7 +76,16 @@ expected that interfaces, even new ones, break during the initial
   syslog plain tcp input plugin (NOT supporting TLS!)
   [ported from v4]
 ---------------------------------------------------------------------------
-Version 5.7.3  [V5-DEVEL] (rgerhards), 2010-12-??
+Version 5.7.4  [V5-BETA] (rgerhards), 2011-02-??
+- added pmsnare parser module (written by David Lang)
+- enhanced imfile to support non-cancel input termination
+- improved systemd socket activation thanks to Marius Tomaschweski
+- bugfix: pmsnare causded abort under some conditions
+- bugfix: abort if imfile reads file line of more than 64KiB
+  Thanks to Peter Eisentraut for reporting and analysing this problem.
+  bug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=221
+---------------------------------------------------------------------------
+Version 5.7.3  [V5-BETA] (rgerhards), 2011-02-07
 - added support for processing multi-line messages in imfile
 - added $IMUDPSchedulingPolicy and $IMUDPSchedulingPriority config settings
 - added $LocalHostName config directive
diff --git a/Makefile.am b/Makefile.am
index 22818f3e..b63e9ecc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -131,6 +131,10 @@ if ENABLE_PMAIXFORWARDEDFROM
 SUBDIRS += plugins/pmaixforwardedfrom
 endif
 
+if ENABLE_PMSNARE
+SUBDIRS += plugins/pmsnare
+endif
+
 if ENABLE_PMLASTMSG
 SUBDIRS += plugins/pmlastmsg
 endif
diff --git a/configure.ac b/configure.ac
index 848bb45a..9b3a2e82 100644
--- a/configure.ac
+++ b/configure.ac
@@ -823,7 +823,7 @@ AC_SUBST(LIBLOGGING_LIBS)
 # enable/disable the testbench (e.g. because some important parts
 # are missing)
 AC_ARG_ENABLE(testbench,
-        [AS_HELP_STRING([--enable-testbench],[file input module enabled @<:@default=yes@:>@])],
+        [AS_HELP_STRING([--enable-testbench],[testbench enabled @<:@default=yes@:>@])],
         [case "${enableval}" in
          yes) enable_testbench="yes" ;;
           no) enable_testbench="no" ;;
@@ -854,7 +854,7 @@ AM_CONDITIONAL(ENABLE_IMFILE, test x$enable_imfile = xyes)
 
 # settings for the door input module (under solaris, thus default off)
 AC_ARG_ENABLE(imsolaris,
-        [AS_HELP_STRING([--enable-imsolaris],[door input module enabled @<:@default=no@:>@])],
+        [AS_HELP_STRING([--enable-imsolaris],[solaris input module enabled @<:@default=no@:>@])],
         [case "${enableval}" in
          yes) enable_imsolaris="yes" ;;
           no) enable_imsolaris="no" ;;
@@ -998,6 +998,19 @@ AC_ARG_ENABLE(pmaixforwardedfrom,
 AM_CONDITIONAL(ENABLE_PMAIXFORWARDEDFROM, test x$enable_pmaixforwardedfrom = xyes)
 
 
+# settings for pmsnare
+AC_ARG_ENABLE(pmsnare,
+        [AS_HELP_STRING([--enable-pmsnare],[Compiles snare parser module @<:@default=no@:>@])],
+        [case "${enableval}" in
+         yes) enable_pmsnare="yes" ;;
+          no) enable_pmsnare="no" ;;
+           *) AC_MSG_ERROR(bad value ${enableval} for --enable-pmsnare) ;;
+         esac],
+        [enable_pmsnare=no]
+)
+AM_CONDITIONAL(ENABLE_PMSNARE, test x$enable_pmsnare = xyes)
+
+
 # settings for pmrfc3164sd
 AC_ARG_ENABLE(pmrfc3164sd,
         [AS_HELP_STRING([--enable-pmrfc3164sd],[Compiles rfc3164sd parser module @<:@default=no@:>@])],
@@ -1061,7 +1074,7 @@ AC_SUBST(RELP_LIBS)
 
 # settings for omuxsock
 AC_ARG_ENABLE(omuxsock,
-        [AS_HELP_STRING([--enable-omuxsock],[Compiles stdout module @<:@default=no@:>@])],
+        [AS_HELP_STRING([--enable-omuxsock],[Compiles omuxsock module @<:@default=no@:>@])],
         [case "${enableval}" in
          yes) enable_omuxsock="yes" ;;
           no) enable_omuxsock="no" ;;
@@ -1076,7 +1089,7 @@ AM_CONDITIONAL(ENABLE_OMUXSOCK, test x$enable_omuxsock = xyes)
 # part of rsyslog, into the build process. It is named cust1, so that
 # additional such modules can easily be added.
 AC_ARG_ENABLE(cust1,
-        [AS_HELP_STRING([--enable-cust1],[Compiles stdout module @<:@default=no@:>@])],
+        [AS_HELP_STRING([--enable-cust1],[Compiles cust1 module @<:@default=no@:>@])],
         [case "${enableval}" in
          yes) enable_cust1="yes" ;;
           no) enable_cust1="no" ;;
@@ -1182,6 +1195,7 @@ AC_CONFIG_FILES([Makefile \
 		plugins/pmrfc3164sd/Makefile \
 		plugins/pmlastmsg/Makefile \
 		plugins/pmcisconames/Makefile \
+		plugins/pmsnare/Makefile \
 		plugins/pmaixforwardedfrom/Makefile \
 		plugins/omruleset/Makefile \
 		plugins/omdbalerting/Makefile \
@@ -1248,7 +1262,8 @@ echo "---{ parser modules }---"
 echo "    pmrfc3164sd module will be compiled:      $enable_pmrfc3164sd"
 echo "    pmlastmsg module will be compiled:        $enable_pmlastmsg"
 echo "    pmcisconames module will be compiled:     $enable_pmcisconames"
-echo "    pmaixforwardedfrom module will be compiled:     $enable_pmaixforwardedfrom"
+echo "    pmaixforwardedfrom module w.be compiled:  $enable_pmaixforwardedfrom"
+echo "    pmsnare module will be compiled:          $enable_pmsnare"
 echo
 echo "---{ message modification modules }---"
 echo "    mmnormalize module will be compiled:      $enable_mmnormalize"
diff --git a/doc/manual.html b/doc/manual.html
index 2536290c..29813f5e 100644
--- a/doc/manual.html
+++ b/doc/manual.html
@@ -41,7 +41,6 @@ if you do not read the doc, but doing so will definitely improve your experience
 <li><a href="rsyslog_conf.html">configuration file syntax (rsyslog.conf)</a></li>
 <li><a href="http://www.rsyslog.com/tool-regex">a regular expression checker/generator tool for rsyslog</a></li>
 <li> <a href="property_replacer.html">property replacer, an important core component</a></li>
-<li>a commented <a href="sample.conf.html">sample rsyslog.conf</a> </li>
 <li><a href="bugs.html">rsyslog bug list</a></li>
 <li><a href="messageparser.html">understanding rsyslog message parsers</a></li>
 <li><a href="generic_design.html">backgrounder on generic syslog application design</a></li>
diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
index 5d50dfd6..a9096dca 100644
--- a/plugins/imfile/imfile.c
+++ b/plugins/imfile/imfile.c
@@ -213,7 +213,7 @@ static rsRetVal pollFile(fileInfo_t *pThis, int *pbHadFileData)
 	}
 
 	/* loop below will be exited when strmReadLine() returns EOF */
-	while(1) {
+	while(glbl.GetGlobalInputTermState() == 0) {
 		CHKiRet(strm.ReadLine(pThis->pStrm, &pCStr, pThis->readMode));
 		*pbHadFileData = 1; /* this is just a flag, so set it and forget it */
 		CHKiRet(enqLine(pThis, pCStr)); /* process line */
@@ -289,9 +289,10 @@ BEGINrunInput
 	int bHadFileData; /* were there at least one file with data during this run? */
 CODESTARTrunInput
 	pthread_cleanup_push(inputModuleCleanup, NULL);
-	while(1) {
-
+	while(glbl.GetGlobalInputTermState() == 0) {
 		do {
+			if(glbl.GetGlobalInputTermState() == 1)
+				break; /* terminate input! */
 			bHadFileData = 0;
 			for(i = 0 ; i < iFilPtr ; ++i) {
 				pollFile(&files[i], &bHadFileData);
@@ -302,10 +303,10 @@ CODESTARTrunInput
 		 * hogging the CPU if the users selects a polling interval of 0 seconds. It doesn't hurt any
 		 * other valid scenario. So do not remove. -- rgerhards, 2008-02-14
 		 */
-		srSleep(iPollInterval, 10);
-
+		if(glbl.GetGlobalInputTermState() == 0)
+			srSleep(iPollInterval, 10);
 	}
-	/*NOTREACHED*/
+	DBGPRINTF("imfile: terminating upon request of rsyslog core\n");
 	
 	pthread_cleanup_pop(0); /* just for completeness, but never called... */
 	RETiRet;	/* use it to make sure the housekeeping is done! */
@@ -398,6 +399,13 @@ CODESTARTafterRun
 ENDafterRun
 
 
+BEGINisCompatibleWithFeature
+CODESTARTisCompatibleWithFeature
+	if(eFeat == sFEATURENonCancelInputTermination)
+		iRet = RS_RET_OK;
+ENDisCompatibleWithFeature
+
+
 /* The following entry points are defined in module-template.h.
  * In general, they need to be present, but you do NOT need to provide
  * any code here.
@@ -416,6 +424,7 @@ ENDmodExit
 BEGINqueryEtryPt
 CODESTARTqueryEtryPt
 CODEqueryEtryPt_STD_IMOD_QUERIES
+CODEqueryEtryPt_IsCompatibleWithFeature_IF_OMOD_QUERIES
 ENDqueryEtryPt
 
 
@@ -527,6 +536,7 @@ CODEmodInit_QueryRegCFSLineHdlr
 	CHKiRet(objUse(strm, CORE_COMPONENT));
 	CHKiRet(objUse(prop, CORE_COMPONENT));
 
+	DBGPRINTF("imfile: version %s initializing\n", VERSION);
 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputfilename", 0, eCmdHdlrGetWord,
 	  	NULL, &pszFileName, STD_LOADABLE_MODULE_ID, eConfObjGlobal));
 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputfiletag", 0, eCmdHdlrGetWord,
diff --git a/plugins/imuxsock/imuxsock.c b/plugins/imuxsock/imuxsock.c
index c1168c87..ede8d954 100644
--- a/plugins/imuxsock/imuxsock.c
+++ b/plugins/imuxsock/imuxsock.c
@@ -143,7 +143,7 @@ static int startIndexUxLocalSockets; /* process fd from that index on (used to
 				   * read-only after startup
 				   */
 static int nfd = 1; /* number of Unix sockets open / read-only after startup */
-static int bSysSockFromSystemd = 0;	/* Did we receive the system socket from systemd? */
+static int sd_fds = 0;			/* number of systemd activated sockets */
 
 /* config settings */
 static int bOmitLocalLogging = 0;
@@ -372,41 +372,32 @@ openLogSocket(lstn_t *pLstn)
 	if(pLstn->sockName[0] == '\0')
 		return -1;
 
-       if (ustrcmp(pLstn->sockName, UCHAR_CONSTANT(_PATH_LOG)) == 0) {
-	       bSysSockFromSystemd = 0; /* set default */
-               int r;
-
-               /* System log socket code. Check whether an FD was passed in from systemd. If
-                * so, it's the /dev/log socket, so use it. */
-
-               r = sd_listen_fds(0);
-               if (r < 0) {
-                       errmsg.LogError(-r, NO_ERRCODE, "Failed to acquire systemd socket");
-			ABORT_FINALIZE(RS_RET_ERR_CRE_AFUX);
-               }
-
-               if (r > 1) {
-                       errmsg.LogError(EINVAL, NO_ERRCODE, "Wrong number of systemd sockets passed");
-			ABORT_FINALIZE(RS_RET_ERR_CRE_AFUX);
-               }
-
-               if (r == 1) {
-                       pLstn->fd = SD_LISTEN_FDS_START;
-                       r = sd_is_socket_unix(pLstn->fd, SOCK_DGRAM, -1, _PATH_LOG, 0);
-                       if (r < 0) {
-                               errmsg.LogError(-r, NO_ERRCODE, "Failed to verify systemd socket type");
-				ABORT_FINALIZE(RS_RET_ERR_CRE_AFUX);
-                       }
-
-                       if (!r) {
-                               errmsg.LogError(EINVAL, NO_ERRCODE, "Passed systemd socket of wrong type");
-				ABORT_FINALIZE(RS_RET_ERR_CRE_AFUX);
-                       }
-		       bSysSockFromSystemd = 1; /* indicate we got the socket from systemd */
-		} else {
-			CHKiRet(createLogSocket(pLstn));
+	pLstn->fd = -1;
+
+	if (sd_fds > 0) {
+               /* Check if the current socket is a systemd activated one.
+	        * If so, just use it.
+		*/
+		int fd;
+
+		for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + sd_fds; fd++) {
+			if( sd_is_socket_unix(fd, SOCK_DGRAM, -1, (const char*) pLstn->sockName, 0) == 1) {
+				/* ok, it matches -- just use as is */
+				pLstn->fd = fd;
+
+				dbgprintf("imuxsock: Acquired UNIX socket '%s' (fd %d) from systemd.\n",
+					pLstn->sockName, pLstn->fd);
+				break;
+			}
+			/*
+			 * otherwise it either didn't matched *this* socket and
+			 * we just continue to check the next one or there were
+			 * an error and we will create a new socket bellow.
+			 */
 		}
-	} else {
+	}
+
+	if (pLstn->fd == -1) {
 		CHKiRet(createLogSocket(pLstn));
 	}
 
@@ -774,12 +765,18 @@ CODESTARTwillRun
 	listeners[0].bUseCreds = (bWritePidSysSock || ratelimitIntervalSysSock) ? 1 : 0;
 	listeners[0].bWritePid = bWritePidSysSock;
 
+	sd_fds = sd_listen_fds(0);
+	if (sd_fds < 0) {
+		errmsg.LogError(-sd_fds, NO_ERRCODE, "imuxsock: Failed to acquire systemd socket");
+		ABORT_FINALIZE(RS_RET_ERR_CRE_AFUX);
+	}
+
 	/* initialize and return if will run or not */
 	actSocks = 0;
 	for (i = startIndexUxLocalSockets ; i < nfd ; i++) {
 		if(openLogSocket(&(listeners[i])) == RS_RET_OK) {
 			++actSocks;
-			dbgprintf("Opened UNIX socket '%s' (fd %d).\n", listeners[i].sockName, listeners[i].fd);
+			dbgprintf("imuxsock: Opened UNIX socket '%s' (fd %d).\n", listeners[i].sockName, listeners[i].fd);
 		}
 	}
 
@@ -806,15 +803,19 @@ CODESTARTafterRun
 		if (listeners[i].fd != -1)
 			close(listeners[i].fd);
 
-       /* Clean-up files. If systemd passed us a socket it is
-        * systemd's job to clean it up.*/
-       if(bSysSockFromSystemd) {
-	       DBGPRINTF("imuxsock: got system socket from systemd, not unlinking it\n");
-               i = 1;
-       } else
-               i = startIndexUxLocalSockets;
-       for(; i < nfd; i++)
+       /* Clean-up files. */
+       for(i = startIndexUxLocalSockets; i < nfd; i++)
 		if (listeners[i].sockName && listeners[i].fd != -1) {
+
+			/* If systemd passed us a socket it is systemd's job to clean it up.
+			 * Do not unlink it -- we will get same socket (node) from systemd
+			 * e.g. on restart again.
+			 */
+			if (sd_fds > 0 &&
+			    listeners[i].fd >= SD_LISTEN_FDS_START &&
+			    listeners[i].fd <  SD_LISTEN_FDS_START + sd_fds)
+				continue;
+
 			DBGPRINTF("imuxsock: unlinking unix socket file[%d] %s\n", i, listeners[i].sockName);
 			unlink((char*) listeners[i].sockName);
 		}
diff --git a/plugins/pmcisconames/pmcisconames.c b/plugins/pmcisconames/pmcisconames.c
index 47d1f6f6..4171e688 100644
--- a/plugins/pmcisconames/pmcisconames.c
+++ b/plugins/pmcisconames/pmcisconames.c
@@ -89,10 +89,29 @@ dbgprintf("pmcisconames: msg to look at: [%d]'%s'\n", lenMsg, p2parse);
 dbgprintf("msg too short!\n");
 		ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
 	}
-
-	/* skip over timestamp */
-	lenMsg -=16;
-	p2parse +=16;
+	/* check if the timestamp is a 16 character or 21 character timestamp
+		'Mmm DD HH:MM:SS ' spaces at 3,6,15 : at 9,12
+		'Mmm DD YYYY HH:MM:SS ' spaces at 3,6,11,20 : at 14,17
+	   check for the : first as that will differentiate the two conditions the fastest
+	   this allows the compiler to short circuit the rst of the tests if it is the wrong timestamp
+	   but still check the rest to see if it looks correct
+	*/
+	if ( *(p2parse + 9) == ':' && *(p2parse + 12) == ':' && *(p2parse + 3) == ' ' && *(p2parse + 6) == ' ' && *(p2parse + 15) == ' ') {
+		/* skip over timestamp */
+		dbgprintf("short timestamp found\n");
+		lenMsg -=16;
+		p2parse +=16;
+	} else {
+		if ( *(p2parse + 14) == ':' && *(p2parse + 17) == ':' && *(p2parse + 3) == ' ' && *(p2parse + 6) == ' ' && *(p2parse + 11) == ' ' && *(p2parse + 20) == ' ') {
+			/* skip over timestamp */
+			dbgprintf("long timestamp found\n");
+			lenMsg -=21;
+			p2parse +=21;
+		} else {
+			dbgprintf("timestamp is not one of the valid formats\n");
+			ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
+		}
+	}
 	/* now look for the next space to walk past the hostname */
 	while(lenMsg && *p2parse != ' ') {
 		--lenMsg;
diff --git a/plugins/pmsnare/Makefile.am b/plugins/pmsnare/Makefile.am
new file mode 100644
index 00000000..5b2696ac
--- /dev/null
+++ b/plugins/pmsnare/Makefile.am
@@ -0,0 +1,8 @@
+pkglib_LTLIBRARIES = pmsnare.la
+
+pmsnare_la_SOURCES = pmsnare.c
+pmsnare_la_CPPFLAGS =  $(RSRT_CFLAGS) $(PTHREADS_CFLAGS) -I ../../tools
+pmsnare_la_LDFLAGS = -module -avoid-version
+pmsnare_la_LIBADD = 
+
+EXTRA_DIST = 
diff --git a/plugins/pmsnare/pmsnare.c b/plugins/pmsnare/pmsnare.c
new file mode 100644
index 00000000..4a9880d4
--- /dev/null
+++ b/plugins/pmsnare/pmsnare.c
@@ -0,0 +1,238 @@
+/* pmsnare.c
+ *
+ * this detects logs sent by Snare and cleans them up so that they can be processed by the normal parser
+ *
+ * there are two variations of this, if the client is set to 'syslog' mode it sends
+ *
+ * <pri>timestamp<sp>hostname<sp>tag<tab>otherstuff
+ *
+ * if the client is not set to syslog it sends
+ *
+ * hostname<tab>tag<tab>otherstuff
+ *
+ * ToDo, take advantage of items in the message itself to set more friendly information
+ * where the normal parser will find it by re-writing more of the message
+ *
+ * Intereting information includes:
+ *
+ * in the case of windows snare messages:
+ *   the system hostname is field 12
+ *   the severity is field 3 (criticality ranging form 0 to 4)
+ *   the source of the log is field 4 and may be able to be mapped to facility
+ * 
+ * 
+ * created 2010-12-13 by David Lang based on pmlastmsg
+ *
+ * This file is part of rsyslog.
+ *
+ * Rsyslog is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Rsyslog is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Rsyslog.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * A copy of the GPL can be found in the file "COPYING" in this distribution.
+ */
+#include "config.h"
+#include "rsyslog.h"
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <ctype.h>
+#include "conf.h"
+#include "syslogd-types.h"
+#include "template.h"
+#include "msg.h"
+#include "module-template.h"
+#include "glbl.h"
+#include "errmsg.h"
+#include "parser.h"
+#include "datetime.h"
+#include "unicode-helper.h"
+
+MODULE_TYPE_PARSER
+PARSER_NAME("rsyslog.snare")
+
+/* internal structures
+ */
+DEF_PMOD_STATIC_DATA
+DEFobjCurrIf(errmsg)
+DEFobjCurrIf(glbl)
+DEFobjCurrIf(parser)
+DEFobjCurrIf(datetime)
+
+
+/* static data */
+static int bParseHOSTNAMEandTAG;	/* cache for the equally-named global param - performance enhancement */
+
+
+BEGINisCompatibleWithFeature
+CODESTARTisCompatibleWithFeature
+	if(eFeat == sFEATUREAutomaticSanitazion)
+		iRet = RS_RET_OK;
+	if(eFeat == sFEATUREAutomaticPRIParsing)
+		iRet = RS_RET_OK;
+ENDisCompatibleWithFeature
+
+
+BEGINparse
+	uchar *p2parse;
+	int lenMsg;
+	int snaremessage;
+	int tablength;
+
+CODESTARTparse
+	#define TabRepresentation "#011"
+	tablength=sizeof(TabRepresentation);
+	dbgprintf("Message will now be parsed by fix Snare parser.\n");
+	assert(pMsg != NULL);
+	assert(pMsg->pszRawMsg != NULL);
+
+	/* check if this message is of the type we handle in this (very limited) parser
+
+	 find out if we have a space separated or tab separated for the first item
+	 if tab separated see if the second word is one of our expected tags
+	  if so replace the tabs with spaces so that hostname and syslog tag are going to be parsed properly
+	   optionally replace the hostname at the beginning of the message with one from later in the message
+	  else, wrong message, abort
+	 else, assume that we have a valid timestamp, move over to the syslog tag
+	  if that is tab separated from the rest of the message and one of our expected tags
+	   if so, replace the tab with a space so that it will be parsed properly
+	    optionally replace the hostname at the beginning of the message withone from later in the message 
+
+	*/
+	snaremessage=0;
+	lenMsg = pMsg->iLenRawMsg - pMsg->offAfterPRI; /* note: offAfterPRI is already the number of PRI chars (do not add one!) */
+	p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI; /* point to start of text, after PRI */
+	dbgprintf("pmsnare: msg to look at: [%d]'%s'\n", lenMsg, p2parse);
+	if((unsigned) lenMsg < 30) {
+		/* too short, can not be "our" message */
+		dbgprintf("msg too short!\n");
+		ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
+	}
+
+	while(lenMsg && *p2parse != ' ' && *p2parse != '\t' && *p2parse != '#') {
+		--lenMsg;
+		++p2parse;
+	}
+	dbgprintf("pmsnare: separator [%d]'%s'  msg after the first separator: [%d]'%s'\n", tablength,TabRepresentation,lenMsg, p2parse);
+	if ((lenMsg > tablength) && (*p2parse == '\t' || strncasecmp((char*) p2parse, TabRepresentation , tablength-1) == 0)) {
+	//if ((lenMsg > tablength) && (*p2parse == '\t' || *p2parse == '#')) {
+	dbgprintf("pmsnare: tab separated message\n");
+		if(strncasecmp((char*) (p2parse + tablength - 1), "MSWinEventLog", 13) == 0) {
+			snaremessage=13; /* 0 means not a snare message, a number is how long the tag is */
+		}
+		if(strncasecmp((char*) (p2parse + tablength - 1), "LinuxKAudit", 11) == 0) {
+			snaremessage=11; /* 0 means not a snare message, a number is how long the tag is */
+		}
+		if(snaremessage) {
+			/* replace the tab with a space and if needed move the message portion up by the length of TabRepresentation -2 characters to overwrite the extra : */
+			*p2parse = ' ';
+			lenMsg -=(tablength-2);
+			p2parse++;
+			lenMsg--;
+			memmove(p2parse, p2parse + (tablength-2), lenMsg);
+			*(p2parse + lenMsg) = '\n';
+			*(p2parse + lenMsg + 1)  = '\0';
+			pMsg->iLenRawMsg -=(tablength-2);
+			pMsg->iLenMSG -=(tablength-2);
+			p2parse += snaremessage;
+			lenMsg -= snaremessage;
+			*p2parse = ' ';
+			p2parse++;
+			lenMsg--;
+			lenMsg -=(tablength-2);
+			memmove(p2parse, p2parse + (tablength-2), lenMsg);
+			*(p2parse + lenMsg) = '\n';
+			*(p2parse + lenMsg + 1)  = '\0';
+			pMsg->iLenRawMsg -=(tablength-2);
+			pMsg->iLenMSG -=(tablength-2);
+			dbgprintf("found a Snare message with snare not set to send syslog messages\n");
+		}
+	} else {
+		/* go back to the beginning of the message */
+		lenMsg = pMsg->iLenRawMsg - pMsg->offAfterPRI; /* note: offAfterPRI is already the number of PRI chars (do not add one!) */
+		p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI; /* point to start of text, after PRI */
+		/* skip over timestamp and space*/
+		lenMsg -=17;
+		p2parse +=17;
+		/* skip over what should be the hostname */
+		while(lenMsg && *p2parse != ' ') {
+			--lenMsg;
+			++p2parse;
+		}
+		if (lenMsg){
+			--lenMsg;
+			++p2parse;
+		}
+		dbgprintf("pmsnare: separator [%d]'%s'  msg after the timestamp and hostname: [%d]'%s'\n", tablength,TabRepresentation,lenMsg, p2parse);
+		if(lenMsg > 13 && strncasecmp((char*) p2parse, "MSWinEventLog", 13) == 0) {
+			snaremessage=13; /* 0 means not a snare message, a number is how long the tag is */
+		}
+		if(lenMsg > 11 && strncasecmp((char*) p2parse, "LinuxKAudit", 11) == 0) {
+			snaremessage=11; /* 0 means not a snare message, a number is how long the tag is */
+		}
+		if(snaremessage) {
+			p2parse += snaremessage;
+			lenMsg -= snaremessage;
+			*p2parse = ' ';
+			p2parse++;
+			lenMsg--;
+			lenMsg -=(tablength-2);
+			memmove(p2parse, p2parse + (tablength-2), lenMsg);
+			*(p2parse + lenMsg) = '\n';
+			*(p2parse + lenMsg + 1)  = '\0';
+			pMsg->iLenRawMsg -=(tablength-2);
+			pMsg->iLenMSG -=(tablength-2);
+			dbgprintf("found a Snare message with snare set to send syslog messages\n");
+		}
+		
+	}
+	DBGPRINTF("pmsnare: new message: [%d]'%s'\n", lenMsg, pMsg->pszRawMsg + pMsg->offAfterPRI);
+	ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
+
+finalize_it:
+ENDparse
+
+
+BEGINmodExit
+CODESTARTmodExit
+	/* release what we no longer need */
+	objRelease(errmsg, CORE_COMPONENT);
+	objRelease(glbl, CORE_COMPONENT);
+	objRelease(parser, CORE_COMPONENT);
+	objRelease(datetime, CORE_COMPONENT);
+ENDmodExit
+
+
+BEGINqueryEtryPt
+CODESTARTqueryEtryPt
+CODEqueryEtryPt_STD_PMOD_QUERIES
+CODEqueryEtryPt_IsCompatibleWithFeature_IF_OMOD_QUERIES
+ENDqueryEtryPt
+
+
+BEGINmodInit()
+CODESTARTmodInit
+	*ipIFVersProvided = CURR_MOD_IF_VERSION; /* we only support the current interface specification */
+CODEmodInit_QueryRegCFSLineHdlr
+	CHKiRet(objUse(glbl, CORE_COMPONENT));
+	CHKiRet(objUse(errmsg, CORE_COMPONENT));
+	CHKiRet(objUse(parser, CORE_COMPONENT));
+	CHKiRet(objUse(datetime, CORE_COMPONENT));
+
+	DBGPRINTF("snare parser init called, compiled with version %s\n", VERSION);
+ 	bParseHOSTNAMEandTAG = glbl.GetParseHOSTNAMEandTAG(); /* cache value, is set only during rsyslogd option processing */
+
+
+ENDmodInit
+
+/* vim:set ai:
+ */
diff --git a/runtime/stream.c b/runtime/stream.c
index 5f4249a8..24dbcc09 100644
--- a/runtime/stream.c
+++ b/runtime/stream.c
@@ -617,12 +617,12 @@ strmReadLine(strm_t *pThis, cstr_t **ppCStr, int mode)
         	CHKiRet(cstrFinalize(*ppCStr));
 	}
         if (mode == 2){
-/* indented follow-up lines */
+		/* indented follow-up lines */
 		finished=0;
 		while(finished == 0){
 			if ((*ppCStr)->iStrLen == 0){
         			if(c != '\n') {
-/* nothing in the buffer, and it's not a newline, add it to the buffer */
+				/* nothing in the buffer, and it's not a newline, add it to the buffer */
                				CHKiRet(cstrAppendChar(*ppCStr, c));
                				CHKiRet(strmReadChar(pThis, &c));
 				} else {
@@ -630,7 +630,7 @@ strmReadLine(strm_t *pThis, cstr_t **ppCStr, int mode)
 				}
 			} else {
 				if ((*ppCStr)->pBuf[(*ppCStr)->iStrLen -1 ] != '\n'){
-/* not the first character after a newline, add it to the buffer */
+				/* not the first character after a newline, add it to the buffer */
                				CHKiRet(cstrAppendChar(*ppCStr, c));
                				CHKiRet(strmReadChar(pThis, &c));
 				} else {
@@ -638,7 +638,9 @@ strmReadLine(strm_t *pThis, cstr_t **ppCStr, int mode)
                					CHKiRet(cstrAppendChar(*ppCStr, c));
                					CHKiRet(strmReadChar(pThis, &c));
 					} else {
-/* clean things up by putting the character we just read back into the input buffer and removing the LF character that is currently at the end of the output string */
+						/* clean things up by putting the character we just read back into
+						 * the input buffer and removing the LF character that is currently at the
+						 * end of the output string */
 						CHKiRet(strmUnreadChar(pThis, c));
 						rsCStrTruncate(*ppCStr,1);
 						finished=1;
diff --git a/runtime/stringbuf.c b/runtime/stringbuf.c
index f4a9caae..d8c5923b 100644
--- a/runtime/stringbuf.c
+++ b/runtime/stringbuf.c
@@ -185,7 +185,7 @@ rsRetVal
 rsCStrExtendBuf(cstr_t *pThis, size_t iMinNeeded)
 {
 	uchar *pNewBuf;
-	unsigned short iNewSize;
+	size_t iNewSize;
 	DEFiRet;
 
 	/* first compute the new size needed */
diff --git a/tools/syslogd.c b/tools/syslogd.c
index 36b48bde..1ce810bf 100644
--- a/tools/syslogd.c
+++ b/tools/syslogd.c
@@ -2424,13 +2424,46 @@ doGlblProcessInit(void)
 				 */
 				exit(1); /* "good" exit - after forking, not diasabling anything */
 			}
+
 			num_fds = getdtablesize();
 			close(0);
 			/* we keep stdout and stderr open in case we have to emit something */
+			i = 3;
+
+			/* if (sd_booted()) */ {
+				const char *e;
+				char buf[24] = { '\0' };
+				char *p = NULL;
+				unsigned long l;
+				int sd_fds;
+
+				/* fork & systemd socket activation:
+				 * fetch listen pid and update to ours,
+				 * when it is set to pid of our parent.
+				 */
+				if ( (e = getenv("LISTEN_PID"))) {
+					errno = 0;
+					l = strtoul(e, &p, 10);
+					if (errno ==  0 && l > 0 && (!p || !*p)) {
+						if (getppid() == (pid_t)l) {
+							snprintf(buf, sizeof(buf), "%d",
+								 getpid());
+							setenv("LISTEN_PID", buf, 1);
+						}
+					}
+				}
+
+				/*
+				 * close only all further fds, except
+				 * of the fds provided by systemd.
+				 */
+				sd_fds = sd_listen_fds(0);
+				if (sd_fds > 0)
+					i = SD_LISTEN_FDS_START + sd_fds;
+			}
+			for ( ; i < num_fds; i++)
+				(void) close(i);
 
-                       if (sd_listen_fds(0) <= 0)
-                               for (i = 3; i < num_fds; i++)
-                                       (void) close(i);
 			untty();
 		} else {
 			fputs(" Already running. If you want to run multiple instances, you need "
author	Rainer Gerhards <rgerhards@adiscon.com>	2011-02-11 11:48:29 +0100
committer	Rainer Gerhards <rgerhards@adiscon.com>	2011-02-11 11:48:29 +0100
commit	b941f68aaeec4bd458328e09121b623ac63f6dd6 (patch)
tree	3bd6490dbcb77ad72bdb186a02f3bf297607964a
parent	819ac126e2cc85916bee32575c85b3c8d7317325 (diff)
parent	2d67035d1b851bdfb430e6980ca217c1807b3a9c (diff)
download	rsyslog-b941f68aaeec4bd458328e09121b623ac63f6dd6.tar.gz rsyslog-b941f68aaeec4bd458328e09121b623ac63f6dd6.tar.xz rsyslog-b941f68aaeec4bd458328e09121b623ac63f6dd6.zip