Merge branch 'v5-beta'

Conflicts:
	ChangeLog
	configure.ac
	doc/manual.html

5 files changed, 330 insertions, 54 deletions

diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
index 5d50dfd6..a9096dca 100644
--- a/plugins/imfile/imfile.c
+++ b/plugins/imfile/imfile.c
@@ -213,7 +213,7 @@ static rsRetVal pollFile(fileInfo_t *pThis, int *pbHadFileData)
 	}
 
 	/* loop below will be exited when strmReadLine() returns EOF */
-	while(1) {
+	while(glbl.GetGlobalInputTermState() == 0) {
 		CHKiRet(strm.ReadLine(pThis->pStrm, &pCStr, pThis->readMode));
 		*pbHadFileData = 1; /* this is just a flag, so set it and forget it */
 		CHKiRet(enqLine(pThis, pCStr)); /* process line */
@@ -289,9 +289,10 @@ BEGINrunInput
 	int bHadFileData; /* were there at least one file with data during this run? */
 CODESTARTrunInput
 	pthread_cleanup_push(inputModuleCleanup, NULL);
-	while(1) {
-
+	while(glbl.GetGlobalInputTermState() == 0) {
 		do {
+			if(glbl.GetGlobalInputTermState() == 1)
+				break; /* terminate input! */
 			bHadFileData = 0;
 			for(i = 0 ; i < iFilPtr ; ++i) {
 				pollFile(&files[i], &bHadFileData);
@@ -302,10 +303,10 @@ CODESTARTrunInput
 		 * hogging the CPU if the users selects a polling interval of 0 seconds. It doesn't hurt any
 		 * other valid scenario. So do not remove. -- rgerhards, 2008-02-14
 		 */
-		srSleep(iPollInterval, 10);
-
+		if(glbl.GetGlobalInputTermState() == 0)
+			srSleep(iPollInterval, 10);
 	}
-	/*NOTREACHED*/
+	DBGPRINTF("imfile: terminating upon request of rsyslog core\n");
 	
 	pthread_cleanup_pop(0); /* just for completeness, but never called... */
 	RETiRet;	/* use it to make sure the housekeeping is done! */
@@ -398,6 +399,13 @@ CODESTARTafterRun
 ENDafterRun
 
 
+BEGINisCompatibleWithFeature
+CODESTARTisCompatibleWithFeature
+	if(eFeat == sFEATURENonCancelInputTermination)
+		iRet = RS_RET_OK;
+ENDisCompatibleWithFeature
+
+
 /* The following entry points are defined in module-template.h.
  * In general, they need to be present, but you do NOT need to provide
  * any code here.
@@ -416,6 +424,7 @@ ENDmodExit
 BEGINqueryEtryPt
 CODESTARTqueryEtryPt
 CODEqueryEtryPt_STD_IMOD_QUERIES
+CODEqueryEtryPt_IsCompatibleWithFeature_IF_OMOD_QUERIES
 ENDqueryEtryPt
 
 
@@ -527,6 +536,7 @@ CODEmodInit_QueryRegCFSLineHdlr
 	CHKiRet(objUse(strm, CORE_COMPONENT));
 	CHKiRet(objUse(prop, CORE_COMPONENT));
 
+	DBGPRINTF("imfile: version %s initializing\n", VERSION);
 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputfilename", 0, eCmdHdlrGetWord,
 	  	NULL, &pszFileName, STD_LOADABLE_MODULE_ID, eConfObjGlobal));
 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputfiletag", 0, eCmdHdlrGetWord,
diff --git a/plugins/imuxsock/imuxsock.c b/plugins/imuxsock/imuxsock.c
index c1168c87..ede8d954 100644
--- a/plugins/imuxsock/imuxsock.c
+++ b/plugins/imuxsock/imuxsock.c
@@ -143,7 +143,7 @@ static int startIndexUxLocalSockets; /* process fd from that index on (used to
 				   * read-only after startup
 				   */
 static int nfd = 1; /* number of Unix sockets open / read-only after startup */
-static int bSysSockFromSystemd = 0;	/* Did we receive the system socket from systemd? */
+static int sd_fds = 0;			/* number of systemd activated sockets */
 
 /* config settings */
 static int bOmitLocalLogging = 0;
@@ -372,41 +372,32 @@ openLogSocket(lstn_t *pLstn)
 	if(pLstn->sockName[0] == '\0')
 		return -1;
 
-       if (ustrcmp(pLstn->sockName, UCHAR_CONSTANT(_PATH_LOG)) == 0) {
-	       bSysSockFromSystemd = 0; /* set default */
-               int r;
-
-               /* System log socket code. Check whether an FD was passed in from systemd. If
-                * so, it's the /dev/log socket, so use it. */
-
-               r = sd_listen_fds(0);
-               if (r < 0) {
-                       errmsg.LogError(-r, NO_ERRCODE, "Failed to acquire systemd socket");
-			ABORT_FINALIZE(RS_RET_ERR_CRE_AFUX);
-               }
-
-               if (r > 1) {
-                       errmsg.LogError(EINVAL, NO_ERRCODE, "Wrong number of systemd sockets passed");
-			ABORT_FINALIZE(RS_RET_ERR_CRE_AFUX);
-               }
-
-               if (r == 1) {
-                       pLstn->fd = SD_LISTEN_FDS_START;
-                       r = sd_is_socket_unix(pLstn->fd, SOCK_DGRAM, -1, _PATH_LOG, 0);
-                       if (r < 0) {
-                               errmsg.LogError(-r, NO_ERRCODE, "Failed to verify systemd socket type");
-				ABORT_FINALIZE(RS_RET_ERR_CRE_AFUX);
-                       }
-
-                       if (!r) {
-                               errmsg.LogError(EINVAL, NO_ERRCODE, "Passed systemd socket of wrong type");
-				ABORT_FINALIZE(RS_RET_ERR_CRE_AFUX);
-                       }
-		       bSysSockFromSystemd = 1; /* indicate we got the socket from systemd */
-		} else {
-			CHKiRet(createLogSocket(pLstn));
+	pLstn->fd = -1;
+
+	if (sd_fds > 0) {
+               /* Check if the current socket is a systemd activated one.
+	        * If so, just use it.
+		*/
+		int fd;
+
+		for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + sd_fds; fd++) {
+			if( sd_is_socket_unix(fd, SOCK_DGRAM, -1, (const char*) pLstn->sockName, 0) == 1) {
+				/* ok, it matches -- just use as is */
+				pLstn->fd = fd;
+
+				dbgprintf("imuxsock: Acquired UNIX socket '%s' (fd %d) from systemd.\n",
+					pLstn->sockName, pLstn->fd);
+				break;
+			}
+			/*
+			 * otherwise it either didn't matched *this* socket and
+			 * we just continue to check the next one or there were
+			 * an error and we will create a new socket bellow.
+			 */
 		}
-	} else {
+	}
+
+	if (pLstn->fd == -1) {
 		CHKiRet(createLogSocket(pLstn));
 	}
 
@@ -774,12 +765,18 @@ CODESTARTwillRun
 	listeners[0].bUseCreds = (bWritePidSysSock || ratelimitIntervalSysSock) ? 1 : 0;
 	listeners[0].bWritePid = bWritePidSysSock;
 
+	sd_fds = sd_listen_fds(0);
+	if (sd_fds < 0) {
+		errmsg.LogError(-sd_fds, NO_ERRCODE, "imuxsock: Failed to acquire systemd socket");
+		ABORT_FINALIZE(RS_RET_ERR_CRE_AFUX);
+	}
+
 	/* initialize and return if will run or not */
 	actSocks = 0;
 	for (i = startIndexUxLocalSockets ; i < nfd ; i++) {
 		if(openLogSocket(&(listeners[i])) == RS_RET_OK) {
 			++actSocks;
-			dbgprintf("Opened UNIX socket '%s' (fd %d).\n", listeners[i].sockName, listeners[i].fd);
+			dbgprintf("imuxsock: Opened UNIX socket '%s' (fd %d).\n", listeners[i].sockName, listeners[i].fd);
 		}
 	}
 
@@ -806,15 +803,19 @@ CODESTARTafterRun
 		if (listeners[i].fd != -1)
 			close(listeners[i].fd);
 
-       /* Clean-up files. If systemd passed us a socket it is
-        * systemd's job to clean it up.*/
-       if(bSysSockFromSystemd) {
-	       DBGPRINTF("imuxsock: got system socket from systemd, not unlinking it\n");
-               i = 1;
-       } else
-               i = startIndexUxLocalSockets;
-       for(; i < nfd; i++)
+       /* Clean-up files. */
+       for(i = startIndexUxLocalSockets; i < nfd; i++)
 		if (listeners[i].sockName && listeners[i].fd != -1) {
+
+			/* If systemd passed us a socket it is systemd's job to clean it up.
+			 * Do not unlink it -- we will get same socket (node) from systemd
+			 * e.g. on restart again.
+			 */
+			if (sd_fds > 0 &&
+			    listeners[i].fd >= SD_LISTEN_FDS_START &&
+			    listeners[i].fd <  SD_LISTEN_FDS_START + sd_fds)
+				continue;
+
 			DBGPRINTF("imuxsock: unlinking unix socket file[%d] %s\n", i, listeners[i].sockName);
 			unlink((char*) listeners[i].sockName);
 		}
diff --git a/plugins/pmcisconames/pmcisconames.c b/plugins/pmcisconames/pmcisconames.c
index 47d1f6f6..4171e688 100644
--- a/plugins/pmcisconames/pmcisconames.c
+++ b/plugins/pmcisconames/pmcisconames.c
@@ -89,10 +89,29 @@ dbgprintf("pmcisconames: msg to look at: [%d]'%s'\n", lenMsg, p2parse);
 dbgprintf("msg too short!\n");
 		ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
 	}
-
-	/* skip over timestamp */
-	lenMsg -=16;
-	p2parse +=16;
+	/* check if the timestamp is a 16 character or 21 character timestamp
+		'Mmm DD HH:MM:SS ' spaces at 3,6,15 : at 9,12
+		'Mmm DD YYYY HH:MM:SS ' spaces at 3,6,11,20 : at 14,17
+	   check for the : first as that will differentiate the two conditions the fastest
+	   this allows the compiler to short circuit the rst of the tests if it is the wrong timestamp
+	   but still check the rest to see if it looks correct
+	*/
+	if ( *(p2parse + 9) == ':' && *(p2parse + 12) == ':' && *(p2parse + 3) == ' ' && *(p2parse + 6) == ' ' && *(p2parse + 15) == ' ') {
+		/* skip over timestamp */
+		dbgprintf("short timestamp found\n");
+		lenMsg -=16;
+		p2parse +=16;
+	} else {
+		if ( *(p2parse + 14) == ':' && *(p2parse + 17) == ':' && *(p2parse + 3) == ' ' && *(p2parse + 6) == ' ' && *(p2parse + 11) == ' ' && *(p2parse + 20) == ' ') {
+			/* skip over timestamp */
+			dbgprintf("long timestamp found\n");
+			lenMsg -=21;
+			p2parse +=21;
+		} else {
+			dbgprintf("timestamp is not one of the valid formats\n");
+			ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
+		}
+	}
 	/* now look for the next space to walk past the hostname */
 	while(lenMsg && *p2parse != ' ') {
 		--lenMsg;
diff --git a/plugins/pmsnare/Makefile.am b/plugins/pmsnare/Makefile.am
new file mode 100644
index 00000000..5b2696ac
--- /dev/null
+++ b/plugins/pmsnare/Makefile.am
@@ -0,0 +1,8 @@
+pkglib_LTLIBRARIES = pmsnare.la
+
+pmsnare_la_SOURCES = pmsnare.c
+pmsnare_la_CPPFLAGS =  $(RSRT_CFLAGS) $(PTHREADS_CFLAGS) -I ../../tools
+pmsnare_la_LDFLAGS = -module -avoid-version
+pmsnare_la_LIBADD = 
+
+EXTRA_DIST = 
diff --git a/plugins/pmsnare/pmsnare.c b/plugins/pmsnare/pmsnare.c
new file mode 100644
index 00000000..4a9880d4
--- /dev/null
+++ b/plugins/pmsnare/pmsnare.c
@@ -0,0 +1,238 @@
+/* pmsnare.c
+ *
+ * this detects logs sent by Snare and cleans them up so that they can be processed by the normal parser
+ *
+ * there are two variations of this, if the client is set to 'syslog' mode it sends
+ *
+ * <pri>timestamp<sp>hostname<sp>tag<tab>otherstuff
+ *
+ * if the client is not set to syslog it sends
+ *
+ * hostname<tab>tag<tab>otherstuff
+ *
+ * ToDo, take advantage of items in the message itself to set more friendly information
+ * where the normal parser will find it by re-writing more of the message
+ *
+ * Intereting information includes:
+ *
+ * in the case of windows snare messages:
+ *   the system hostname is field 12
+ *   the severity is field 3 (criticality ranging form 0 to 4)
+ *   the source of the log is field 4 and may be able to be mapped to facility
+ * 
+ * 
+ * created 2010-12-13 by David Lang based on pmlastmsg
+ *
+ * This file is part of rsyslog.
+ *
+ * Rsyslog is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Rsyslog is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Rsyslog.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * A copy of the GPL can be found in the file "COPYING" in this distribution.
+ */
+#include "config.h"
+#include "rsyslog.h"
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <ctype.h>
+#include "conf.h"
+#include "syslogd-types.h"
+#include "template.h"
+#include "msg.h"
+#include "module-template.h"
+#include "glbl.h"
+#include "errmsg.h"
+#include "parser.h"
+#include "datetime.h"
+#include "unicode-helper.h"
+
+MODULE_TYPE_PARSER
+PARSER_NAME("rsyslog.snare")
+
+/* internal structures
+ */
+DEF_PMOD_STATIC_DATA
+DEFobjCurrIf(errmsg)
+DEFobjCurrIf(glbl)
+DEFobjCurrIf(parser)
+DEFobjCurrIf(datetime)
+
+
+/* static data */
+static int bParseHOSTNAMEandTAG;	/* cache for the equally-named global param - performance enhancement */
+
+
+BEGINisCompatibleWithFeature
+CODESTARTisCompatibleWithFeature
+	if(eFeat == sFEATUREAutomaticSanitazion)
+		iRet = RS_RET_OK;
+	if(eFeat == sFEATUREAutomaticPRIParsing)
+		iRet = RS_RET_OK;
+ENDisCompatibleWithFeature
+
+
+BEGINparse
+	uchar *p2parse;
+	int lenMsg;
+	int snaremessage;
+	int tablength;
+
+CODESTARTparse
+	#define TabRepresentation "#011"
+	tablength=sizeof(TabRepresentation);
+	dbgprintf("Message will now be parsed by fix Snare parser.\n");
+	assert(pMsg != NULL);
+	assert(pMsg->pszRawMsg != NULL);
+
+	/* check if this message is of the type we handle in this (very limited) parser
+
+	 find out if we have a space separated or tab separated for the first item
+	 if tab separated see if the second word is one of our expected tags
+	  if so replace the tabs with spaces so that hostname and syslog tag are going to be parsed properly
+	   optionally replace the hostname at the beginning of the message with one from later in the message
+	  else, wrong message, abort
+	 else, assume that we have a valid timestamp, move over to the syslog tag
+	  if that is tab separated from the rest of the message and one of our expected tags
+	   if so, replace the tab with a space so that it will be parsed properly
+	    optionally replace the hostname at the beginning of the message withone from later in the message 
+
+	*/
+	snaremessage=0;
+	lenMsg = pMsg->iLenRawMsg - pMsg->offAfterPRI; /* note: offAfterPRI is already the number of PRI chars (do not add one!) */
+	p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI; /* point to start of text, after PRI */
+	dbgprintf("pmsnare: msg to look at: [%d]'%s'\n", lenMsg, p2parse);
+	if((unsigned) lenMsg < 30) {
+		/* too short, can not be "our" message */
+		dbgprintf("msg too short!\n");
+		ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
+	}
+
+	while(lenMsg && *p2parse != ' ' && *p2parse != '\t' && *p2parse != '#') {
+		--lenMsg;
+		++p2parse;
+	}
+	dbgprintf("pmsnare: separator [%d]'%s'  msg after the first separator: [%d]'%s'\n", tablength,TabRepresentation,lenMsg, p2parse);
+	if ((lenMsg > tablength) && (*p2parse == '\t' || strncasecmp((char*) p2parse, TabRepresentation , tablength-1) == 0)) {
+	//if ((lenMsg > tablength) && (*p2parse == '\t' || *p2parse == '#')) {
+	dbgprintf("pmsnare: tab separated message\n");
+		if(strncasecmp((char*) (p2parse + tablength - 1), "MSWinEventLog", 13) == 0) {
+			snaremessage=13; /* 0 means not a snare message, a number is how long the tag is */
+		}
+		if(strncasecmp((char*) (p2parse + tablength - 1), "LinuxKAudit", 11) == 0) {
+			snaremessage=11; /* 0 means not a snare message, a number is how long the tag is */
+		}
+		if(snaremessage) {
+			/* replace the tab with a space and if needed move the message portion up by the length of TabRepresentation -2 characters to overwrite the extra : */
+			*p2parse = ' ';
+			lenMsg -=(tablength-2);
+			p2parse++;
+			lenMsg--;
+			memmove(p2parse, p2parse + (tablength-2), lenMsg);
+			*(p2parse + lenMsg) = '\n';
+			*(p2parse + lenMsg + 1)  = '\0';
+			pMsg->iLenRawMsg -=(tablength-2);
+			pMsg->iLenMSG -=(tablength-2);
+			p2parse += snaremessage;
+			lenMsg -= snaremessage;
+			*p2parse = ' ';
+			p2parse++;
+			lenMsg--;
+			lenMsg -=(tablength-2);
+			memmove(p2parse, p2parse + (tablength-2), lenMsg);
+			*(p2parse + lenMsg) = '\n';
+			*(p2parse + lenMsg + 1)  = '\0';
+			pMsg->iLenRawMsg -=(tablength-2);
+			pMsg->iLenMSG -=(tablength-2);
+			dbgprintf("found a Snare message with snare not set to send syslog messages\n");
+		}
+	} else {
+		/* go back to the beginning of the message */
+		lenMsg = pMsg->iLenRawMsg - pMsg->offAfterPRI; /* note: offAfterPRI is already the number of PRI chars (do not add one!) */
+		p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI; /* point to start of text, after PRI */
+		/* skip over timestamp and space*/
+		lenMsg -=17;
+		p2parse +=17;
+		/* skip over what should be the hostname */
+		while(lenMsg && *p2parse != ' ') {
+			--lenMsg;
+			++p2parse;
+		}
+		if (lenMsg){
+			--lenMsg;
+			++p2parse;
+		}
+		dbgprintf("pmsnare: separator [%d]'%s'  msg after the timestamp and hostname: [%d]'%s'\n", tablength,TabRepresentation,lenMsg, p2parse);
+		if(lenMsg > 13 && strncasecmp((char*) p2parse, "MSWinEventLog", 13) == 0) {
+			snaremessage=13; /* 0 means not a snare message, a number is how long the tag is */
+		}
+		if(lenMsg > 11 && strncasecmp((char*) p2parse, "LinuxKAudit", 11) == 0) {
+			snaremessage=11; /* 0 means not a snare message, a number is how long the tag is */
+		}
+		if(snaremessage) {
+			p2parse += snaremessage;
+			lenMsg -= snaremessage;
+			*p2parse = ' ';
+			p2parse++;
+			lenMsg--;
+			lenMsg -=(tablength-2);
+			memmove(p2parse, p2parse + (tablength-2), lenMsg);
+			*(p2parse + lenMsg) = '\n';
+			*(p2parse + lenMsg + 1)  = '\0';
+			pMsg->iLenRawMsg -=(tablength-2);
+			pMsg->iLenMSG -=(tablength-2);
+			dbgprintf("found a Snare message with snare set to send syslog messages\n");
+		}
+		
+	}
+	DBGPRINTF("pmsnare: new message: [%d]'%s'\n", lenMsg, pMsg->pszRawMsg + pMsg->offAfterPRI);
+	ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
+
+finalize_it:
+ENDparse
+
+
+BEGINmodExit
+CODESTARTmodExit
+	/* release what we no longer need */
+	objRelease(errmsg, CORE_COMPONENT);
+	objRelease(glbl, CORE_COMPONENT);
+	objRelease(parser, CORE_COMPONENT);
+	objRelease(datetime, CORE_COMPONENT);
+ENDmodExit
+
+
+BEGINqueryEtryPt
+CODESTARTqueryEtryPt
+CODEqueryEtryPt_STD_PMOD_QUERIES
+CODEqueryEtryPt_IsCompatibleWithFeature_IF_OMOD_QUERIES
+ENDqueryEtryPt
+
+
+BEGINmodInit()
+CODESTARTmodInit
+	*ipIFVersProvided = CURR_MOD_IF_VERSION; /* we only support the current interface specification */
+CODEmodInit_QueryRegCFSLineHdlr
+	CHKiRet(objUse(glbl, CORE_COMPONENT));
+	CHKiRet(objUse(errmsg, CORE_COMPONENT));
+	CHKiRet(objUse(parser, CORE_COMPONENT));
+	CHKiRet(objUse(datetime, CORE_COMPONENT));
+
+	DBGPRINTF("snare parser init called, compiled with version %s\n", VERSION);
+ 	bParseHOSTNAMEandTAG = glbl.GetParseHOSTNAMEandTAG(); /* cache value, is set only during rsyslogd option processing */
+
+
+ENDmodInit
+
+/* vim:set ai:
+ */