diff options
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | doc/imuxsock.html | 47 | ||||
| -rw-r--r-- | doc/rsyslog_conf.html | 19 | ||||
| -rw-r--r-- | plugins/imklog/imklog.c | 2 | ||||
| -rw-r--r-- | plugins/imudp/imudp.c | 3 | ||||
| -rw-r--r-- | plugins/imuxsock/imuxsock.c | 33 | ||||
| -rw-r--r-- | syslogd.c | 12 | ||||
| -rw-r--r-- | syslogd.h | 3 | ||||
| -rw-r--r-- | tcps_sess.c | 9 |
10 files changed, 108 insertions, 31 deletions
@@ -12,6 +12,15 @@ Version 3.12.1 (rgerhards), 2008-03-06 - added support for the MonitorWare syslog MIB to omsnmp - internal code improvements (more code converted into classes) - internal code reworking of the imtcp/imgssapi module +- added capability to ignore client-provided timestamp on unix sockets and + made this mode the default; this was needed, as some programs (e.g. sshd) + log with inconsistent timezone information, what messes up the local + logs (which by default don't even contain time zone information). This + seems to be consistent with what sysklogd did for the past four years. + Alternate behaviour may be desirable if gateway-like processes send + messages via the local log slot - in this case, it can be enabled + via the $InputUnixListenSocketIgnoreMsgTimestamp and + $SystemLogSocketIgnoreMsgTimestamp config directives --------------------------------------------------------------------------- Version 3.12.0 (rgerhards), 2008-02-28 - added full expression support for filters; filters can now contain diff --git a/configure.ac b/configure.ac index 4bf03aff..a67a4815 100644 --- a/configure.ac +++ b/configure.ac @@ -80,7 +80,7 @@ AC_FUNC_STAT AC_FUNC_STRERROR_R AC_FUNC_VPRINTF AC_FUNC_WAIT3 -AC_CHECK_FUNCS([flock alarm clock_gettime gethostbyname gethostname gettimeofday localtime_r memset mkdir regcomp select setid socket strcasecmp strchr strdup strerror strndup strnlen strrchr strstr strtol strtoul uname ttyname_r]) +AC_CHECK_FUNCS([flock basename alarm clock_gettime gethostbyname gethostname gettimeofday localtime_r memset mkdir regcomp select setid socket strcasecmp strchr strdup strerror strndup strnlen strrchr strstr strtol strtoul uname ttyname_r]) # Large file support diff --git a/doc/imuxsock.html b/doc/imuxsock.html new file mode 100644 index 00000000..ee367dbc --- /dev/null +++ b/doc/imuxsock.html @@ -0,0 +1,47 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html><head> +<meta http-equiv="Content-Language" content="en"><title>Unix Socket Input</title> + +</head> +<body> +<h1>Unix Socket Input</h1> +<p><b>Module Name: imuxsock</b></p> +<p><b>Author: </b>Rainer Gerhards +<rgerhards@adiscon.com></p> +<p><b>Description</b>:</p> +<p>Provides the ability to accept syslog messages via local Unix +sockets. Most importantly, this is the mechanism by which the syslog(3) +call delivers syslog messages to rsyslogd. So you need to have this +module loaded to read the system log socket and be able to process log +messages from applications running on the local system.</p><p>Application-provided +timestamps are ignored by default. This is needed, as some programs +(e.g. sshd) log with inconsistent timezone information, what +messes up the local logs (which by default don't even contain time zone +information). This seems to be consistent with what sysklogd did for +the past four years. Alternate behaviour may be desirable if +gateway-like processes send messages via the local log slot - in this +case, it can be enabled via the +$InputUnixListenSocketIgnoreMsgTimestamp and $SystemLogSocketIgnoreMsgTimestamp config directives</p><p><b>Configuration Directives</b>:</p> +<ul> +<li><span style="font-weight: bold;">$InputUnixListenSocketIgnoreMsgTimestamp</span> [<span style="font-weight: bold;">on</span>/off]<strong></strong><br>Ignore timestamps included in the message. Applies to the next socket being added.</li><li><span style="font-weight: bold;">$SystemLogSocketIgnoreMsgTimestamp</span> [<span style="font-weight: bold;">on</span>/off]<br>Ignore timestamps included in the messages, applies to messages received via the system log socket.</li><li><span style="font-weight: bold;">$OmitLocalLogging</span> (imuxsock) [on/<b>off</b>] -- +former -o option</li><li><span style="font-weight: bold;">$SystemLogSocketName</span> <name-of-socket> -- +former -p option</li><li><span style="font-weight: bold;">$AddUnixListenSocket</span> <name-of-socket> adds +additional unix socket, default none -- former -a option</li></ul> +<b>Caveats/Known Bugs:</b><br> +<br> +This documentation is sparse and incomplete. +<p><b>Sample:</b></p> +<p>The following sample is the minimum setup required to accept syslog messages from applications running on the local system.<br> +</p> +<textarea rows="15" cols="60">$ModLoad imuxsock # needs to be done just once +</textarea> +<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] +[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> +<p><font size="2">This documentation is part of the +<a href="http://www.rsyslog.com/">rsyslog</a> +project.<br> +Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer +Gerhards</a> and +<a href="http://www.adiscon.com/">Adiscon</a>. +Released under the GNU GPL version 3 or higher.</font></p> +</body></html>
\ No newline at end of file diff --git a/doc/rsyslog_conf.html b/doc/rsyslog_conf.html index 9e67a8c1..11f80a2d 100644 --- a/doc/rsyslog_conf.html +++ b/doc/rsyslog_conf.html @@ -1,7 +1,5 @@ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html><head><title>rsyslog.conf file</title> - -</head> +<html><head><title>rsyslog.conf file</title></head> <body> <h1>rsyslog.conf configuration file</h1> <p><b>This document is currently being enhanced. Please @@ -43,7 +41,7 @@ plugin for plain tcp syslog</li> <li><a href="imgssapi.html">imgssapi</a> - input plugin for plain tcp and GSS-enable syslog</li> <li>immark - support for mark messages</li> -<li>imklog - kernel logging</li> +<li>imklog - kernel logging</li><li><a href="imuxsock.html">imuxsock</a> - unix sockets, including the system log socket</li> </ul> <p>Please note that each module provides configuration directives, which are NOT necessarily being listed below. Also @@ -100,10 +98,7 @@ default 60000 (1 minute)]</li> worker threads, default 1, recommended 1</li> <li>$ActionQueueWorkerThreadMinumumMessages <number>, default 100</li> -<li><a href="rsconf1_actionresumeinterval.html">$ActionResumeInterval</a></li> -<li>$AddUnixListenSocket <name-of-socket> adds -additional unix socket, default none -- former -a option</li> -<li>$ActionResumeRetryCount <number> [default 0, +<li><a href="rsconf1_actionresumeinterval.html">$ActionResumeInterval</a></li><li>$ActionResumeRetryCount <number> [default 0, -1 means eternal]</li> <li><a href="rsconf1_allowedsender.html">$AllowedSender</a></li> <li><a href="rsconf1_controlcharacterescapeprefix.html">$ControlCharacterEscapePrefix</a></li> @@ -171,15 +166,11 @@ worker threads, default 1, recommended 1</li> (immark)</li> <li><a href="rsconf1_moddir.html">$ModDir</a></li> <li><a href="rsconf1_modload.html">$ModLoad</a></li> -<li>$OmitLocalLogging (imuxsock) [on/<b>off</b>] -- -former -o option</li> + <li><a href="rsconf1_repeatedmsgreduction.html">$RepeatedMsgReduction</a></li> <li><a href="rsconf1_resetconfigvariables.html">$ResetConfigVariables</a></li> <li>$WorkDirectory <name> (directory for spool -and other work files)</li> -<li>$SystemLogSocketName <name-of-socket> -- -former -p option</li> -<li>$UDPServerAddress <IP> (imudp) -- local IP +and other work files)</li><li>$UDPServerAddress <IP> (imudp) -- local IP address (or name) the UDP listens should bind to</li> <li>$UDPServerRun <port> (imudp) -- former -r<port> option, default 514, start UDP server on this diff --git a/plugins/imklog/imklog.c b/plugins/imklog/imklog.c index 238328ea..46c78e70 100644 --- a/plugins/imklog/imklog.c +++ b/plugins/imklog/imklog.c @@ -127,7 +127,7 @@ static rsRetVal writeSyslogV(int iPRI, const char *szFmt, va_list va) /* here we must create our message object and supply it to the message queue */ - CHKiRet(parseAndSubmitMessage(LocalHostName, msgBuf, strlen(msgBuf), MSG_DONT_PARSE_HOSTNAME)); + CHKiRet(parseAndSubmitMessage(LocalHostName, msgBuf, strlen(msgBuf), MSG_DONT_PARSE_HOSTNAME, NOFLAG)); finalize_it: RETiRet; diff --git a/plugins/imudp/imudp.c b/plugins/imudp/imudp.c index 70a7b3f7..be9fb6cc 100644 --- a/plugins/imudp/imudp.c +++ b/plugins/imudp/imudp.c @@ -189,7 +189,8 @@ CODESTARTrunInput */ if(isAllowedSender(pAllowedSenders_UDP, (struct sockaddr *)&frominet, (char*)fromHostFQDN)) { - parseAndSubmitMessage((char*)fromHost, (char*) pRcvBuf, l, MSG_PARSE_HOSTNAME); + parseAndSubmitMessage((char*)fromHost, (char*) pRcvBuf, l, + MSG_PARSE_HOSTNAME, NOFLAG); } else { dbgprintf("%s is not an allowed sender\n", (char*)fromHostFQDN); if(option_DisallowWarning) { diff --git a/plugins/imuxsock/imuxsock.c b/plugins/imuxsock/imuxsock.c index 68978231..1d26de4b 100644 --- a/plugins/imuxsock/imuxsock.c +++ b/plugins/imuxsock/imuxsock.c @@ -68,6 +68,7 @@ static int startIndexUxLocalSockets; /* process funix from that index on (used t * read-only after startup */ static int funixParseHost[MAXFUNIX] = { 0, }; /* should parser parse host name? read-only after startup */ +static int funixFlags[MAXFUNIX] = { ADDDATE, }; /* should parser parse host name? read-only after startup */ static uchar *funixn[MAXFUNIX] = { (uchar*) _PATH_LOG }; /* read-only after startup */ static int funix[MAXFUNIX] = { -1, }; /* read-only after startup */ static int nfunix = 1; /* number of Unix sockets open / read-only after startup */ @@ -75,6 +76,20 @@ static int nfunix = 1; /* number of Unix sockets open / read-only after startup /* config settings */ static int bOmitLocalLogging = 0; static uchar *pLogSockName = NULL; +static int bIgnoreTimestamp = 1; /* ignore timestamps present in the incoming message? */ + + +/* set the timestamp ignore / not ignore option for the system + * log socket. This must be done separtely, as it is not added via a command + * but present by default. -- rgerhards, 2008-03-06 + */ +static rsRetVal setSystemLogTimestampIgnore(void __attribute__((unused)) *pVal, int iNewVal) +{ + DEFiRet; +RUNLOG_VAR("%d", iNewVal); + funixFlags[0] = iNewVal ? ADDDATE : NOFLAG; + RETiRet; +} /* add an additional listen socket. Socket names are added @@ -95,6 +110,7 @@ static rsRetVal addLstnSocketName(void __attribute__((unused)) *pVal, uchar *pNe else { funixParseHost[nfunix] = 0; } + funixFlags[nfunix] = bIgnoreTimestamp ? ADDDATE : NOFLAG; funixn[nfunix++] = pNewVal; } else { @@ -157,7 +173,7 @@ static int create_unix_socket(const char *path) * to receive and submits the message received for processing. * rgerhards, 2007-12-20 */ -static rsRetVal readSocket(int fd, int bParseHost) +static rsRetVal readSocket(int fd, int bParseHost, int flags) { DEFiRet; int iRcvd; @@ -166,7 +182,7 @@ static rsRetVal readSocket(int fd, int bParseHost) iRcvd = recv(fd, line, MAXLINE - 1, 0); dbgprintf("Message from UNIX socket: #%d\n", fd); if (iRcvd > 0) { - parseAndSubmitMessage(LocalHostName, line, iRcvd, bParseHost); + parseAndSubmitMessage(LocalHostName, line, iRcvd, bParseHost, flags); } else if (iRcvd < 0 && errno != EINTR) { char errStr[1024]; rs_strerror_r(errno, errStr, sizeof(errStr)); @@ -221,7 +237,7 @@ CODESTARTrunInput for (i = 0; i < nfunix && nfds > 0; i++) { if ((fd = funix[i]) != -1 && FD_ISSET(fd, &readfds)) { - readSocket(fd, funixParseHost[i]); + readSocket(fd, funixParseHost[i], funixFlags[i]); --nfds; /* indicate we have processed one */ } } @@ -292,6 +308,7 @@ static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __a discardFunixn(); nfunix = 1; + bIgnoreTimestamp = 1; return RS_RET_OK; } @@ -313,12 +330,22 @@ CODEmodInit_QueryRegCFSLineHdlr /* register config file handlers */ CHKiRet(omsdRegCFSLineHdlr((uchar *)"omitlocallogging", 0, eCmdHdlrBinary, NULL, &bOmitLocalLogging, STD_LOADABLE_MODULE_ID)); + CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputunixlistensocketignoremsgtimestamp", 0, eCmdHdlrBinary, + NULL, &bIgnoreTimestamp, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"systemlogsocketname", 0, eCmdHdlrGetWord, NULL, &pLogSockName, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"addunixlistensocket", 0, eCmdHdlrGetWord, addLstnSocketName, NULL, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler, resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID)); + /* the following one is a (dirty) trick: the system log socket is not added via + * an "addUnixListenSocket" config format. As such, the timestamp can not be modified + * via $InputUnixListenSocketIgnoreMsgTimestamp". So we need to add a special directive + * for that. We should revisit all of that once we have the new config format... + * rgerhards, 2008-03-06 + */ + CHKiRet(omsdRegCFSLineHdlr((uchar *)"systemlogsocketignoremsgtimestamp", 0, eCmdHdlrBinary, + setSystemLogTimestampIgnore, NULL, STD_LOADABLE_MODULE_ID)); ENDmodInit /* * vi:set ai: @@ -628,8 +628,10 @@ void untty(void) * HOSTNAME or not. rgerhards 2004-11-16. * changed parameter iSource to bParseHost. For details, see comment in * printchopped(). rgerhards 2005-10-06 + * rgerhards: 2008-03-06: added "flags" to allow an input module to specify + * flags, most importantly to request ignoring the messages' timestamp. */ -rsRetVal printline(char *hname, char *msg, int bParseHost) +rsRetVal printline(char *hname, char *msg, int bParseHost, int flags) { DEFiRet; register char *p; @@ -678,7 +680,7 @@ rsRetVal printline(char *hname, char *msg, int bParseHost) if(MsgSetUxTradMsg(pMsg, p) != 0) ABORT_FINALIZE(RS_RET_ERR); - logmsg(pMsg, SYNC_FILE); + logmsg(pMsg, flags | SYNC_FILE); finalize_it: RETiRet; @@ -716,7 +718,7 @@ finalize_it: * improve in the future. <-- TODO! */ rsRetVal -parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost) +parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost, int flags) { DEFiRet; register int iMsg; @@ -815,7 +817,7 @@ parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost) */ if(iMsg == MAXLINE) { *(pMsg + iMsg) = '\0'; /* space *is* reserved for this! */ - printline(hname, tmpline, bParseHost); + printline(hname, tmpline, bParseHost, flags); } else { /* This case in theory never can happen. If it happens, we have * a logic error. I am checking for it, because if I would not, @@ -867,7 +869,7 @@ parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost) *(pMsg + iMsg) = '\0'; /* space *is* reserved for this! */ /* typically, we should end up here! */ - printline(hname, tmpline, bParseHost); + printline(hname, tmpline, bParseHost, flags); finalize_it: RETiRet; @@ -62,6 +62,7 @@ /* Flags to logmsg(). */ +#define NOFLAG 0x000 /* no flag is set (to be used when a flag must be specified and none is required) */ #define INTERNAL_MSG 0x001 /* msg generated by logmsgInternal() --> special handling */ #define SYNC_FILE 0x002 /* do fsync on file after printing */ #define ADDDATE 0x004 /* add a date to the message */ @@ -117,7 +118,7 @@ typedef struct filed selector_t; /* new type name */ #define MSG_PARSE_HOSTNAME 1 #define MSG_DONT_PARSE_HOSTNAME 0 -rsRetVal parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost); +rsRetVal parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost, int flags); int isAllowedSender(struct AllowedSenders *pAllowRoot, struct sockaddr *pFrom, const char *pszFromHost); void untty(void); rsRetVal selectorConstruct(selector_t **ppThis); diff --git a/tcps_sess.c b/tcps_sess.c index f8f9f5bd..c86bcf8d 100644 --- a/tcps_sess.c +++ b/tcps_sess.c @@ -207,8 +207,7 @@ PrepareClose(tcps_sess_t *pThis) * this case. */ dbgprintf("Extra data at end of stream in legacy syslog/tcp message - processing\n"); - parseAndSubmitMessage(pThis->fromHost, pThis->msg, - pThis->iMsg, MSG_PARSE_HOSTNAME); + parseAndSubmitMessage(pThis->fromHost, pThis->msg, pThis->iMsg, MSG_PARSE_HOSTNAME, NOFLAG); pThis->bAtStrtOfFram = 1; } @@ -354,7 +353,7 @@ DataRcvd(tcps_sess_t *pThis, char *pData, size_t iLen) /* emergency, we now need to flush, no matter if * we are at end of message or not... */ - parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME); + parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME, NOFLAG); iMsg = 0; /* we might think if it is better to ignore the rest of the * message than to treat it as a new one. Maybe this is a good @@ -365,7 +364,7 @@ DataRcvd(tcps_sess_t *pThis, char *pData, size_t iLen) if(*pData == '\n' && pThis->eFraming == TCP_FRAMING_OCTET_STUFFING) { /* record delemiter? */ - parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME); + parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME, NOFLAG); iMsg = 0; pThis->bAtStrtOfFram = 1; ++pData; @@ -379,7 +378,7 @@ DataRcvd(tcps_sess_t *pThis, char *pData, size_t iLen) pThis->iOctetsRemain--; if(pThis->iOctetsRemain < 1) { /* we have end of frame! */ - parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME); + parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME, NOFLAG); iMsg = 0; pThis->bAtStrtOfFram = 1; } |