From 668975662405d2ddb820072b521dbf7c275a4864 Mon Sep 17 00:00:00 2001
From: Rainer Gerhards <rgerhards@adiscon.com>
Date: Tue, 21 Feb 2012 12:12:51 +0100
Subject: added mmjsonparse to support recognizing and parsing JSON enhanced
 syslog messages

---
 ChangeLog                         |   6 +-
 Makefile.am                       |   4 +
 configure.ac                      |  20 ++-
 plugins/mmjsonparse/Makefile.am   |   8 ++
 plugins/mmjsonparse/mmjsonparse.c | 247 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 282 insertions(+), 3 deletions(-)
 create mode 100644 plugins/mmjsonparse/Makefile.am
 create mode 100644 plugins/mmjsonparse/mmjsonparse.c

diff --git a/ChangeLog b/ChangeLog
index b0d677e3..ec7be02b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,13 +1,15 @@
 ---------------------------------------------------------------------------
 Version 6.3.8  [DEVEL] 2012-02-??
-- bugfix: property $!all-json made rsyslog abort if not normalized data
-  were available
+- added mmjsonparse to support recognizing and parsing JSON enhanced syslog
+  messages
 - upgraded more plugins to support the new v6 config format:
   - ommysql
   - omlibdbi
   - omsnmp
 - bugfix: abort during startup when rsyslog.conf v6+ format was used in
   a certain way
+- bugfix: property $!all-json made rsyslog abort if no normalized data
+  was available
 ---------------------------------------------------------------------------
 Version 6.3.7  [DEVEL] 2012-02-02
 - imported refactored v5.9.6 imklog linux driver, now combined with BSD
diff --git a/Makefile.am b/Makefile.am
index 585756c8..b3b5a637 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -198,6 +198,10 @@ if ENABLE_MMNORMALIZE
 SUBDIRS += plugins/mmnormalize
 endif
 
+if ENABLE_MMJSONPARSE
+SUBDIRS += plugins/mmjsonparse
+endif
+
 if ENABLE_ORACLE
 SUBDIRS += plugins/omoracle
 endif
diff --git a/configure.ac b/configure.ac
index 2f4c2c9b..117e644f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -33,7 +33,7 @@ PKG_PROG_PKG_CONFIG
 
 # modules we require
 PKG_CHECK_MODULES(LIBESTR, libestr >= 0.1.2)
-PKG_CHECK_MODULES(LIBEE, libee >= 0.3.1)
+PKG_CHECK_MODULES(LIBEE, libee >= 0.4.0)
 
 case "${host}" in
   *-*-linux*)
@@ -840,6 +840,22 @@ AC_SUBST(LOGNORM_CFLAGS)
 AC_SUBST(LOGNORM_LIBS)
 
 
+# mmnjsonparse
+AC_ARG_ENABLE(mmjsonparse,
+        [AS_HELP_STRING([--enable-mmjsonparse],[Enable building mmjsonparse support @<:@default=no@:>@])],
+        [case "${enableval}" in
+         yes) enable_mmjsonparse="yes" ;;
+          no) enable_mmjsonparse="no" ;;
+           *) AC_MSG_ERROR(bad value ${enableval} for --enable-mmjsonparse) ;;
+         esac],
+        [enable_mmjsonparse=no]
+)
+if test "x$enable_mmjsonparse" = "xyes"; then
+	PKG_CHECK_MODULES(LIBLOGNORM, lognorm >= 0.3.1)
+fi
+AM_CONDITIONAL(ENABLE_MMJSONPARSE, test x$enable_mmjsonparse = xyes)
+
+
 # RELP support
 AC_ARG_ENABLE(relp,
         [AS_HELP_STRING([--enable-relp],[Enable RELP support @<:@default=no@:>@])],
@@ -1240,6 +1256,7 @@ AC_CONFIG_FILES([Makefile \
 		plugins/omoracle/Makefile \
 		plugins/omudpspoof/Makefile \
 		plugins/mmnormalize/Makefile \
+		plugins/mmjsonparse/Makefile \
 		plugins/omelasticsearch/Makefile \
 		plugins/sm_cust_bindcdr/Makefile \
 		plugins/mmsnmptrapd/Makefile \
@@ -1290,6 +1307,7 @@ echo "    pmsnare module will be compiled:          $enable_pmsnare"
 echo
 echo "---{ message modification modules }---"
 echo "    mmnormalize module will be compiled:      $enable_mmnormalize"
+echo "    mmjsonparse module will be compiled:      $enable_mmjsonparse"
 echo "    mmsnmptrapd module will be compiled:      $enable_mmsnmptrapd"
 echo
 echo "---{ strgen modules }---"
diff --git a/plugins/mmjsonparse/Makefile.am b/plugins/mmjsonparse/Makefile.am
new file mode 100644
index 00000000..5175fe81
--- /dev/null
+++ b/plugins/mmjsonparse/Makefile.am
@@ -0,0 +1,8 @@
+pkglib_LTLIBRARIES = mmjsonparse.la
+
+mmjsonparse_la_SOURCES = mmjsonparse.c
+mmjsonparse_la_CPPFLAGS =  $(RSRT_CFLAGS) $(PTHREADS_CFLAGS) $(LIBLOGNORM_CFLAGS) $(LIBEE_CFLAGS)
+mmjsonparse_la_LDFLAGS = -module -avoid-version $(LIBLOGNORM_LIBS) $(LIBEE_LIBS)
+mmjsonparse_la_LIBADD = 
+
+EXTRA_DIST = 
diff --git a/plugins/mmjsonparse/mmjsonparse.c b/plugins/mmjsonparse/mmjsonparse.c
new file mode 100644
index 00000000..053eff83
--- /dev/null
+++ b/plugins/mmjsonparse/mmjsonparse.c
@@ -0,0 +1,247 @@
+/* mmjsonparse.c
+ * This is a message modification module. If give, it extracts JSON data
+ * and populates the EE event structure with it.
+ *
+ * NOTE: read comments in module-template.h for details on the calling interface!
+ *
+ * File begun on 2012-02-20 by RGerhards
+ *
+ * Copyright 2012 Adiscon GmbH.
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *       -or-
+ *       see COPYING.ASL20 in the source distribution
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "config.h"
+#include "rsyslog.h"
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <signal.h>
+#include <errno.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <libestr.h>
+#include <libee/libee.h>
+#include "conf.h"
+#include "syslogd-types.h"
+#include "template.h"
+#include "module-template.h"
+#include "errmsg.h"
+#include "cfsysline.h"
+#include "dirty.h"
+
+MODULE_TYPE_OUTPUT
+MODULE_TYPE_NOKEEP
+MODULE_CNFNAME("mmjsonparse")
+
+static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __attribute__((unused)) *pVal);
+
+/* static data */
+DEFobjCurrIf(errmsg);
+
+/* internal structures
+ */
+DEF_OMOD_STATIC_DATA
+
+typedef struct _instanceData {
+	ee_ctx ctxee;		/**< context to be used for libee */
+} instanceData;
+
+typedef struct configSettings_s {
+	int dummy; /* remove when the first real parameter is needed */
+} configSettings_t;
+static configSettings_t cs;
+
+BEGINinitConfVars		/* (re)set config variables to default values */
+CODESTARTinitConfVars 
+	resetConfigVariables(NULL, NULL);
+ENDinitConfVars
+
+
+BEGINcreateInstance
+CODESTARTcreateInstance
+ENDcreateInstance
+
+
+BEGINisCompatibleWithFeature
+CODESTARTisCompatibleWithFeature
+ENDisCompatibleWithFeature
+
+
+BEGINfreeInstance
+CODESTARTfreeInstance
+	ee_exitCtx(pData->ctxee);
+ENDfreeInstance
+
+
+BEGINdbgPrintInstInfo
+CODESTARTdbgPrintInstInfo
+	dbgprintf("mmjsonparse\n");
+ENDdbgPrintInstInfo
+
+
+BEGINtryResume
+CODESTARTtryResume
+ENDtryResume
+
+#define COOKIE "@JSON: "
+#define LEN_COOKIE (sizeof(COOKIE)-1)
+BEGINdoAction
+	msg_t *pMsg;
+	uchar *buf;
+	struct ee_event *event;
+CODESTARTdoAction
+	pMsg = (msg_t*) ppString[0];
+	/* note that we can performance-optimize the interface, but this also
+	 * requires changes to the libraries. For now, we accept message
+	 * duplication. -- rgerhards, 2010-12-01
+	 */
+	buf = getMSG(pMsg);
+
+dbgprintf("mmjsonparse: msg is '%s'\n", buf);
+	while(*buf && isspace(*buf)) {
+		++buf;
+	}
+
+	if(*buf == '\0' || strncmp((char*)buf, COOKIE, LEN_COOKIE)) {
+		DBGPRINTF("mmjsonparse: no JSON cookie: '%s'\n", buf);
+		FINALIZE;
+	}
+	buf += LEN_COOKIE;
+dbgprintf("mmjsonparse: cookie found, rest of message: '%s'\n", buf);
+	event = ee_newEventFromJSON(pData->ctxee, (char*)buf);
+	if(event == NULL) {
+		DBGPRINTF("mmjsonparse: JSON parse error, assuming no "
+			  "JSON-enhanced message: '%s'\n", buf);
+		FINALIZE;
+	}
+	/* TODO: in the long term, we need to think about merging & different
+	   name spaces (probably best to add the newly-obtained event as a child to
+	   the existing event...)
+	*/
+	if(pMsg->event != NULL) {
+		ee_deleteEvent(pMsg->event);
+	}
+	pMsg->event = event;
+
+#if 1
+	/***DEBUG***/ // TODO: remove after initial testing - 2010-12-01
+			{
+			char *cstr;
+			es_str_t *str;
+			ee_fmtEventToJSON(pMsg->event, &str);
+			cstr = es_str2cstr(str, NULL);
+			dbgprintf("mmjsonparse generated: %s\n", cstr);
+			free(cstr);
+			es_deleteStr(str);
+			}
+	/***END DEBUG***/
+#endif
+finalize_it:
+ENDdoAction
+
+
+BEGINparseSelectorAct
+CODESTARTparseSelectorAct
+CODE_STD_STRING_REQUESTparseSelectorAct(1)
+	/* first check if this config line is actually for us */
+	if(strncmp((char*) p, ":mmjsonparse:", sizeof(":mmjsonparse:") - 1)) {
+		ABORT_FINALIZE(RS_RET_CONFLINE_UNPROCESSED);
+	}
+
+	/* ok, if we reach this point, we have something for us */
+	p += sizeof(":mmjsonparse:") - 1; /* eat indicator sequence  (-1 because of '\0'!) */
+	CHKiRet(createInstance(&pData));
+
+	/* check if a non-standard template is to be applied */
+	if(*(p-1) == ';')
+		--p;
+	/* we call the function below because we need to call it via our interface definition. However,
+	 * the format specified (if any) is always ignored.
+	 */
+	CHKiRet(cflineParseTemplateName(&p, *ppOMSR, 0, OMSR_TPL_AS_MSG, (uchar*) "RSYSLOG_FileFormat"));
+
+	/* finally build the instance */
+	if((pData->ctxee = ee_initCtx()) == NULL) {
+		errmsg.LogError(0, RS_RET_NO_RULESET, "error: could not initialize libee ctx, cannot "
+				"activate action");
+		ABORT_FINALIZE(RS_RET_ERR_LIBEE_INIT);
+	}
+CODE_STD_FINALIZERparseSelectorAct
+ENDparseSelectorAct
+
+
+BEGINmodExit
+CODESTARTmodExit
+	objRelease(errmsg, CORE_COMPONENT);
+ENDmodExit
+
+
+BEGINqueryEtryPt
+CODESTARTqueryEtryPt
+CODEqueryEtryPt_STD_OMOD_QUERIES
+ENDqueryEtryPt
+
+
+
+/* Reset config variables for this module to default values.
+ */
+static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __attribute__((unused)) *pVal)
+{
+	DEFiRet;
+	RETiRet;
+}
+
+
+BEGINmodInit()
+	rsRetVal localRet;
+	rsRetVal (*pomsrGetSupportedTplOpts)(unsigned long *pOpts);
+	unsigned long opts;
+	int bMsgPassingSupported;
+CODESTARTmodInit
+INITLegCnfVars
+	*ipIFVersProvided = CURR_MOD_IF_VERSION;
+		/* we only support the current interface specification */
+CODEmodInit_QueryRegCFSLineHdlr
+	/* check if the rsyslog core supports parameter passing code */
+	bMsgPassingSupported = 0;
+	localRet = pHostQueryEtryPt((uchar*)"OMSRgetSupportedTplOpts",
+			&pomsrGetSupportedTplOpts);
+	if(localRet == RS_RET_OK) {
+		/* found entry point, so let's see if core supports msg passing */
+		CHKiRet((*pomsrGetSupportedTplOpts)(&opts));
+		if(opts & OMSR_TPL_AS_MSG)
+			bMsgPassingSupported = 1;
+	} else if(localRet != RS_RET_ENTRY_POINT_NOT_FOUND) {
+		ABORT_FINALIZE(localRet); /* Something else went wrong, not acceptable */
+	}
+	
+	if(!bMsgPassingSupported) {
+		DBGPRINTF("mmjsonparse: msg-passing is not supported by rsyslog core, "
+			  "can not continue.\n");
+		ABORT_FINALIZE(RS_RET_NO_MSG_PASSING);
+	}
+
+	CHKiRet(objUse(errmsg, CORE_COMPONENT));
+	
+	CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler,
+				    resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID));
+ENDmodInit
+
+/* vi:set ai:
+ */
-- 
cgit