From 66ab2a70e5bcc9637dfec89c6134abe10b96dde8 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 15 Mar 2012 17:25:26 +0100 Subject: added message property parsesuccess to indicate status of higher level parser run added message property parsesuccess to indicate if the last run higher-level parser could successfully parse the message or not (see property replacer html doc for details) --- ChangeLog | 3 +++ doc/property_replacer.html | 19 +++++++++++++++++++ plugins/mmaudit/mmaudit.c | 3 +++ plugins/mmjsonparse/mmjsonparse.c | 3 +++ plugins/mmnormalize/mmnormalize.c | 3 +++ runtime/msg.c | 25 +++++++++++++++++++++++++ runtime/msg.h | 2 ++ runtime/rsyslog.h | 1 + 8 files changed, 59 insertions(+) diff --git a/ChangeLog b/ChangeLog index ce13e112..1c4b00f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ Version 6.3.8 [DEVEL] 2012-02-?? - ommysql - omlibdbi - omsnmp +. added message property parsesuccess to indicate if the last run + higher-level parser could successfully parse the message or not + (see property replacer html doc for details) - bugfix: abort during startup when rsyslog.conf v6+ format was used in a certain way - bugfix: property $!all-json made rsyslog abort if no normalized data diff --git a/doc/property_replacer.html b/doc/property_replacer.html index 6456296a..394011a1 100644 --- a/doc/property_replacer.html +++ b/doc/property_replacer.html @@ -138,6 +138,25 @@ draft-ietf-syslog-protocol The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol + +parsesuccess +This returns the status of the last called higher level parser, +like mmjsonparse. A higher level parser parses the actual message for additional +structured data and maintains an extra property table while doing so (this is +often referred to as "cee data" because the idea was originally rooted in the +cee effort, only (but has been extended since then). Note that higher level +parsers must explicitely support (and set) this property. So, depending on the +parser, it may not be set correctly. +
If the parser properly supports it, the value "OK" means that parsing was +successfull, while "FAIL" means the parser could not successfully obtain any data. +Failure state is not necessarily an error. For example, it may simple indicate +that the cee-enhanced syslog parser (mmjsonparse) did not detect cee-enhanced format, +what can be totally valid. Using this property, further processing of the message +can be directed based on this parsing outcome. If no parser has been called at the +time this property is accessed, it will contain "FAIL". +
This property is available since version 6.3.8. + + inputname The name of the input module that generated the message (e.g. "imuxsock", "imudp"). Note that not all modules diff --git a/plugins/mmaudit/mmaudit.c b/plugins/mmaudit/mmaudit.c index 8f2a3f71..fcefd013 100644 --- a/plugins/mmaudit/mmaudit.c +++ b/plugins/mmaudit/mmaudit.c @@ -210,6 +210,7 @@ BEGINdoAction int i; es_str_t *estr; char auditID[1024]; + int bSuccess = 0; CODESTARTdoAction pMsg = (msg_t*) ppString[0]; /* note that we can performance-optimize the interface, but this also @@ -278,6 +279,7 @@ dbgprintf("mmaudit: cookie found, type %d, auditID '%s', rest of message: '%s'\n ee_deleteEvent(pMsg->event); } pMsg->event = event; + bSuccess = 1; #if 1 /***DEBUG***/ // TODO: remove after initial testing - 2010-12-01 @@ -293,6 +295,7 @@ dbgprintf("mmaudit: cookie found, type %d, auditID '%s', rest of message: '%s'\n /***END DEBUG***/ #endif finalize_it: + MsgSetParseSuccess(pMsg, bSuccess); ENDdoAction diff --git a/plugins/mmjsonparse/mmjsonparse.c b/plugins/mmjsonparse/mmjsonparse.c index 5142f94b..03147b59 100644 --- a/plugins/mmjsonparse/mmjsonparse.c +++ b/plugins/mmjsonparse/mmjsonparse.c @@ -105,6 +105,7 @@ BEGINdoAction msg_t *pMsg; uchar *buf; struct ee_event *event; + int bSuccess = 0; CODESTARTdoAction pMsg = (msg_t*) ppString[0]; /* note that we can performance-optimize the interface, but this also @@ -138,6 +139,7 @@ dbgprintf("mmjsonparse: cookie found, rest of message: '%s'\n", buf); ee_deleteEvent(pMsg->event); } pMsg->event = event; + bSuccess = 1; #if 1 /***DEBUG***/ // TODO: remove after initial testing - 2010-12-01 @@ -153,6 +155,7 @@ dbgprintf("mmjsonparse: cookie found, rest of message: '%s'\n", buf); /***END DEBUG***/ #endif finalize_it: + MsgSetParseSuccess(pMsg, bSuccess); ENDdoAction diff --git a/plugins/mmnormalize/mmnormalize.c b/plugins/mmnormalize/mmnormalize.c index 7b92d820..c5b290f4 100644 --- a/plugins/mmnormalize/mmnormalize.c +++ b/plugins/mmnormalize/mmnormalize.c @@ -126,6 +126,9 @@ CODESTARTdoAction r = ln_normalize(pData->ctxln, str, &pMsg->event); if(r != 0) { DBGPRINTF("error %d during ln_normalize\n", r); + MsgSetParseSuccess(pMsg, 0); + } else { + MsgSetParseSuccess(pMsg, 1); } es_deleteStr(str); /***DEBUG***/ // TODO: remove after initial testing - 2010-12-01 diff --git a/runtime/msg.c b/runtime/msg.c index 541409e4..8f5fb080 100644 --- a/runtime/msg.c +++ b/runtime/msg.c @@ -535,6 +535,8 @@ propNameStrToID(uchar *pName, propid_t *pPropID) *pPropID = PROP_PROCID; } else if(!strcmp((char*) pName, "msgid")) { *pPropID = PROP_MSGID; + } else if(!strcmp((char*) pName, "parsesuccess")) { + *pPropID = PROP_PARSESUCCESS; /* here start system properties (those, that do not relate to the message itself */ } else if(!strcmp((char*) pName, "$now")) { *pPropID = PROP_SYS_NOW; @@ -632,6 +634,8 @@ uchar *propIDToName(propid_t propID) return UCHAR_CONSTANT("procid"); case PROP_MSGID: return UCHAR_CONSTANT("msgid"); + case PROP_PARSESUCCESS: + return UCHAR_CONSTANT("parsesuccess"); case PROP_SYS_NOW: return UCHAR_CONSTANT("$NOW"); case PROP_SYS_YEAR: @@ -694,6 +698,7 @@ static inline rsRetVal msgBaseConstruct(msg_t **ppThis) pM->flowCtlType = 0; pM->bDoLock = 0; pM->bAlreadyFreed = 0; + pM->bParseSuccess = 0; pM->iRefCount = 1; pM->iSeverity = -1; pM->iFacility = -1; @@ -1632,6 +1637,15 @@ finalize_it: } +/* Return state of last parser. If it had success, "OK" is returned, else + * "FAIL". All from the constant pool. + */ +static inline char *getParseSuccess(msg_t *pM) +{ + return (pM->bParseSuccess) ? "OK" : "FAIL"; +} + + /* al, 2011-07-26: LockMsg to avoid race conditions */ static inline char *getMSGID(msg_t *pM) @@ -1647,6 +1661,14 @@ static inline char *getMSGID(msg_t *pM) } } +/* rgerhards 2012-03-15: set parser success (an integer, acutally bool) + */ +void MsgSetParseSuccess(msg_t *pMsg, int bSuccess) +{ + assert(pMsg != NULL); + pMsg->bParseSuccess = bSuccess; +} + /* rgerhards 2009-06-12: set associated ruleset */ void MsgSetRuleset(msg_t *pMsg, ruleset_t *pRuleset) @@ -2453,6 +2475,9 @@ uchar *MsgGetProp(msg_t *pMsg, struct templateEntry *pTpe, case PROP_MSGID: pRes = (uchar*)getMSGID(pMsg); break; + case PROP_PARSESUCCESS: + pRes = (uchar*)getParseSuccess(pMsg); + break; case PROP_SYS_NOW: if((pRes = getNOW(NOW_NOW)) == NULL) { RET_OUT_OF_MEMORY; diff --git a/runtime/msg.h b/runtime/msg.h index 55d2dfc0..4c209b8f 100644 --- a/runtime/msg.h +++ b/runtime/msg.h @@ -65,6 +65,7 @@ struct msg { int iRefCount; /* reference counter (0 = unused) */ sbool bDoLock; /* use the mutex? */ sbool bAlreadyFreed; /* aid to help detect a well-hidden bad bug -- TODO: remove when no longer needed */ + sbool bParseSuccess; /* set to reflect state of last executed higher level parser */ short iSeverity; /* the severity 0..7 */ short iFacility; /* Facility code 0 .. 23*/ short offAfterPRI; /* offset, at which raw message WITHOUT PRI part starts in pszRawMsg */ @@ -150,6 +151,7 @@ void MsgSetInputName(msg_t *pMsg, prop_t*); rsRetVal MsgSetAPPNAME(msg_t *pMsg, char* pszAPPNAME); rsRetVal MsgSetPROCID(msg_t *pMsg, char* pszPROCID); rsRetVal MsgSetMSGID(msg_t *pMsg, char* pszMSGID); +void MsgSetParseSuccess(msg_t *pMsg, int bSuccess); void MsgSetTAG(msg_t *pMsg, uchar* pszBuf, size_t lenBuf); void MsgSetRuleset(msg_t *pMsg, ruleset_t*); rsRetVal MsgSetFlowControlType(msg_t *pMsg, flowControl_t eFlowCtl); diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h index 1ec00a85..356af2d5 100644 --- a/runtime/rsyslog.h +++ b/runtime/rsyslog.h @@ -128,6 +128,7 @@ typedef uintTiny propid_t; #define PROP_APP_NAME 20 #define PROP_PROCID 21 #define PROP_MSGID 22 +#define PROP_PARSESUCCESS 23 #define PROP_SYS_NOW 150 #define PROP_SYS_YEAR 151 #define PROP_SYS_MONTH 152 -- cgit