From e7982666b831ad7996275d5b55a91f4053195d05 Mon Sep 17 00:00:00 2001 From: Ryo Fujita Date: Wed, 16 Jul 2008 08:40:22 +0200 Subject: doc bugfix: fixed some typos in rsyslog.conf man page Signed-off-by: Rainer Gerhards --- ChangeLog | 1 + rsyslog.conf.5 | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 02cb75fd..c6c0f036 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,7 @@ Version 3.18.1 (rgerhards), 2008-07-?? where it was needed. This resulted in rsyslog using the default (20 minutes) in some code pathes, what looked to the user like mark messages were never written. +- doc bugfix: fixed some typos in rsyslog.conf man page --------------------------------------------------------------------------- Version 3.18.0 (rgerhards), 2008-07-11 - begun a new v3-stable based on former 3.17.4 beta plus patches to diff --git a/rsyslog.conf.5 b/rsyslog.conf.5 index 1c47f535..dd80fca0 100644 --- a/rsyslog.conf.5 +++ b/rsyslog.conf.5 @@ -28,8 +28,8 @@ file is the main configuration file for the which logs system messages on *nix systems. This file specifies rules for logging. For special features see the .BR rsyslogd (8) -manpage. Ryslog.conf is backward-compatible with sysklogd's syslog.conf file. So if you migrate -from syklogd you can rename it and it should work. +manpage. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf file. So if you migrate +from sysklogd you can rename it and it should work. .B Note that this version of rsyslog ships with extensive documentation in html format. This is provided in the ./doc subdirectory and probably @@ -55,7 +55,7 @@ Output module for GSS-enabled syslog .I ommysql Output module for MySQL .TP -.I omprelp +.I omrelp Output module for the reliable RELP protocol (prevents message loss). For details, see below at imrelp and the html documentation. It can be used like this: @@ -69,7 +69,7 @@ Output module for PostgreSQL .TP .I omlibdbi Generic database output module (Firebird/Interbase, MS SQL, Sybase, -SQLLite, Ingres, Oracle, mSQL) +SQLite, Ingres, Oracle, mSQL) .TP .I imfile Input module for text files @@ -208,7 +208,7 @@ string ":omrelp:" in front of the hostname. .sp In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destination port defaults to 514. Due to the nature of UDP, you will probably lose some messages in transit. -If you expect high traffic volume, you can expect to lose a quite noticable number of messages +If you expect high traffic volume, you can expect to lose a quite noticeable number of messages (the higher the traffic, the more likely and severe is message loss). .B If you would like to prevent message loss, use RELP: -- cgit From c70fd89dd810665f4143fa7006c0237bf4410a8a Mon Sep 17 00:00:00 2001 From: Ryo Fujita Date: Wed, 16 Jul 2008 09:00:45 +0200 Subject: fixed typo in source comment Signed-off-by: Rainer Gerhards --- ChangeLog | 1 + syslogd.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c6c0f036..ad31bc4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,7 @@ Version 3.18.1 (rgerhards), 2008-07-?? (20 minutes) in some code pathes, what looked to the user like mark messages were never written. - doc bugfix: fixed some typos in rsyslog.conf man page +- fixed typo in source comment - thanks to Rio Fujita --------------------------------------------------------------------------- Version 3.18.0 (rgerhards), 2008-07-11 - begun a new v3-stable based on former 3.17.4 beta plus patches to diff --git a/syslogd.c b/syslogd.c index f4ac2080..256b2b29 100644 --- a/syslogd.c +++ b/syslogd.c @@ -3093,7 +3093,7 @@ int realMain(int argc, char **argv) case 'Q': /* dont resolve hostnames in ACL to IPs */ case 's': case 'u': /* misc user settings */ - case 'w': /* disable disallowed host warnigs */ + case 'w': /* disable disallowed host warnings */ case 'x': /* disable dns for remote messages */ CHKiRet(bufOptAdd(ch, optarg)); break; @@ -3337,7 +3337,7 @@ int realMain(int argc, char **argv) if(atoi(arg) == 1) bParseHOSTNAMEandTAG = 0; break; - case 'w': /* disable disallowed host warnigs */ + case 'w': /* disable disallowed host warnings */ option_DisallowWarning = 0; break; case 'x': /* disable dns for remote messages */ -- cgit From 88e9b2d0f30a5c5fc3ce4c25f10f8947f93b6f7b Mon Sep 17 00:00:00 2001 From: Petr Salinger Date: Fri, 18 Jul 2008 10:00:13 +0200 Subject: bugfix: imklog module was not correctly compiled for GNU/kFreeBSD Signed-off-by: Rainer Gerhards --- ChangeLog | 2 ++ configure.ac | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index ad31bc4d..7cb9bc9f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,8 @@ Version 3.18.1 (rgerhards), 2008-07-?? where it was needed. This resulted in rsyslog using the default (20 minutes) in some code pathes, what looked to the user like mark messages were never written. +- bugfix: imklog module was not correctly compiled for GNU/kFreeBSD. + Thanks to Petr Salinger for the patch - doc bugfix: fixed some typos in rsyslog.conf man page - fixed typo in source comment - thanks to Rio Fujita --------------------------------------------------------------------------- diff --git a/configure.ac b/configure.ac index a2f5172d..85d0b260 100644 --- a/configure.ac +++ b/configure.ac @@ -27,6 +27,11 @@ case "${host}" in AC_DEFINE([OS_BSD], [1], [Indicator for a BSD OS]) os_type="bsd" ;; + *-*-kfreebsd*) + # kernel is FreeBSD, but userspace is glibc - i.e. like linux + # do not DEFINE OS_BSD + os_type="bsd" + ;; esac AC_DEFINE_UNQUOTED([HOSTENV], "$host", [the host environment, can be queried via a system variable]) -- cgit From 2879b72bdca5ec0bc5d26405662305d1a562a382 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 18 Jul 2008 11:10:07 +0200 Subject: bugfix: remove PRI part from kernel message if it is present --- ChangeLog | 2 ++ plugins/imklog/imklog.c | 1 + 2 files changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 7cb9bc9f..438f79b7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ Version 3.18.1 (rgerhards), 2008-07-?? is just a simple addition of faciltity and severity). I have changed this to use own, consistent, code for PRI calculation. [Backport from 3.19.10] +- bugfix: remove PRI part from kernel message if it is present + Thanks to Michael Biebl for reporting this bug - bugfix: mark messages were not correctly written to text log files the markmessageinterval was not correctly propagated to all places where it was needed. This resulted in rsyslog using the default diff --git a/plugins/imklog/imklog.c b/plugins/imklog/imklog.c index 38f2a23c..f7aee5b1 100644 --- a/plugins/imklog/imklog.c +++ b/plugins/imklog/imklog.c @@ -140,6 +140,7 @@ parsePRI(uchar **ppSz, int *piPri) /* OK, we have a valid PRI */ *piPri = i; + *ppSz = pSz + 1; /* update msg ptr to position after PRI */ finalize_it: RETiRet; -- cgit From 73abfd1fad59ffc426072bac779e4c0f4c712619 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 18 Jul 2008 12:50:14 +0200 Subject: added new poperty replacer option, added missing documentation - added a new property replacer option "sp-if-no-1st-sp" to cover a problem with RFC 3164 based interpreation of tag separation. While it is a generic approach, it fixes a format problem introduced in 3.18.0, where kernel messages no longer had a space after the tag. This is done by a modifcation of the default templates. Please note that this may affect some messages where there intentionally is no space between the tag and the first character of the message content. If so, this needs to be worked around via a specific template. However, we consider this scenario to be quite remote and, even if it exists, it is not expected that it will actually cause problems with log parsers (instead, we assume the new default template behaviour may fix previous problems with log parsers due to the missing space). - doc bugfix: property replacer options secpath-replace and secpath-drop were not documented --- ChangeLog | 15 +++++++++++++++ doc/property_replacer.html | 42 ++++++++++++++++++++++++++++++++++++++---- msg.c | 26 ++++++++++++++++++++++++++ syslogd.c | 8 ++++---- template.c | 11 +++++++++++ template.h | 1 + 6 files changed, 95 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 438f79b7..ab78ab5c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,8 +20,23 @@ Version 3.18.1 (rgerhards), 2008-07-?? where it was needed. This resulted in rsyslog using the default (20 minutes) in some code pathes, what looked to the user like mark messages were never written. +- added a new property replacer option "sp-if-no-1st-sp" to cover + a problem with RFC 3164 based interpreation of tag separation. While + it is a generic approach, it fixes a format problem introduced in + 3.18.0, where kernel messages no longer had a space after the tag. + This is done by a modifcation of the default templates. + Please note that this may affect some messages where there intentionally + is no space between the tag and the first character of the message + content. If so, this needs to be worked around via a specific + template. However, we consider this scenario to be quite remote and, + even if it exists, it is not expected that it will actually cause + problems with log parsers (instead, we assume the new default template + behaviour may fix previous problems with log parsers due to the + missing space). - bugfix: imklog module was not correctly compiled for GNU/kFreeBSD. Thanks to Petr Salinger for the patch +- doc bugfix: property replacer options secpath-replace and + secpath-drop were not documented - doc bugfix: fixed some typos in rsyslog.conf man page - fixed typo in source comment - thanks to Rio Fujita --------------------------------------------------------------------------- diff --git a/doc/property_replacer.html b/doc/property_replacer.html index a2efaede..f5fc194c 100644 --- a/doc/property_replacer.html +++ b/doc/property_replacer.html @@ -253,7 +253,7 @@ Especially useful for PIX. format as RFC 3339 date -escape-cc +escape-cc replace control characters (ASCII value 127 and values less then 32) with an escape sequence. The sequnce is "#<charval>" where charval is the 3-digit decimal value @@ -263,19 +263,53 @@ Note: using this option requires that space-cc replace control characters by spaces
Note: using this option requires that $EscapeControlCharactersOnReceive is set to off. -drop-cc +drop-cc drop control characters - the resulting string will neither contain control characters, escape sequences nor any other replacement character like space.
Note: using this option requires that $EscapeControlCharactersOnReceive is set to off. + +sp-if-no-1st-sp +This option looks scary and should probably not be used by a user. For any field +given, it returns either a single space character or no character at all. Field content +is never returned. A space is returned if (and only if) the first character of the +field's content is NOT a space. This option is kind of a hack to solve a problem rooted +in RFC 3164: 3164 specifies no delimiter between the syslog tag sequence and the actual +message text. Almost all implementation in fact delemit the two by a space. As of +RFC 3164, this space is part of the message text itself. This leads to a problem when +building the message (e.g. when writing to disk or forwarding). Should a delimiting +space be included if the message does not start with one? If not, the tag is immediately +followed by another non-space character, which can lead some log parsers to misinterpret +what is the tag and what the message. The problem finally surfaced when the klog module +was restructured and the tag correctly written. It exists with other message sources, +too. The solution was the introduction of this special property replacer option. Now, +the default template can contain a conditional space, which exists only if the +message does not start with one. While this does not solve all issues, it should +work good enough in the far majority of all cases. If you read this text and have +no idea of what it is talking about - relax: this is a good indication you will never +need this option. Simply forget about it ;) + + + +secpath-drop +Drops slashes inside the field (e.g. "a/b" becomes "ab"). +Useful for secure pathname generation (with dynafiles). + + + +secpath-replace +Replace slashes inside the field by an underscore. (e.g. "a/b" becomes "a_b"). +Useful for secure pathname generation (with dynafiles). + +

Further Links

@@ -286,4 +320,4 @@ to record severity and facility of a message)
  • Configuration file syntax, this is where you actually use the property replacer.
    • - \ No newline at end of file + diff --git a/msg.c b/msg.c index 1590a7bb..bd1e425e 100644 --- a/msg.c +++ b/msg.c @@ -1897,6 +1897,32 @@ char *MsgGetProp(msg_t *pMsg, struct templateEntry *pTpe, #endif /* #ifdef FEATURE_REGEXP */ } + /* now check if we need to do our "SP if first char is non-space" hack logic */ + if(*pRes && pTpe->data.field.options.bSPIffNo1stSP) { + char *pB; + uchar cFirst = *pRes; + + /* here, we always destruct the buffer and return a new one */ + pB = (char *) malloc(2 * sizeof(char)); + if(pB == NULL) { + if(*pbMustBeFreed == 1) + free(pRes); + *pbMustBeFreed = 0; + return "**OUT OF MEMORY**"; + } + pRes = pB; + *pbMustBeFreed = 1; + + if(cFirst == ' ') { + /* if we have a SP, we must return an empty string */ + *pRes = '\0'; /* empty */ + } else { + /* if it is no SP, we need to return one */ + *pRes = ' '; + *(pRes+1) = '\0'; + } + } + if(*pRes) { /* case conversations (should go after substring, because so we are able to * work on the smallest possible buffer). diff --git a/syslogd.c b/syslogd.c index 256b2b29..35e91af0 100644 --- a/syslogd.c +++ b/syslogd.c @@ -424,11 +424,11 @@ int option_DisallowWarning = 1; /* complain if message from disallowed sender is /* hardcoded standard templates (used for defaults) */ static uchar template_SyslogProtocol23Format[] = "\"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n\""; -static uchar template_TraditionalFileFormat[] = "\"%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n\""; -static uchar template_FileFormat[] = "\"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n\""; +static uchar template_TraditionalFileFormat[] = "\"%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n\""; +static uchar template_FileFormat[] = "\"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n\""; static uchar template_WallFmt[] = "\"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r\""; -static uchar template_ForwardFormat[] = "\"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg%\""; -static uchar template_TraditionalForwardFormat[] = "\"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%%msg%\""; +static uchar template_ForwardFormat[] = "\"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\""; +static uchar template_TraditionalForwardFormat[] = "\"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\""; static uchar template_StdUsrMsgFmt[] = "\" %syslogtag%%msg%\n\r\""; static uchar template_StdDBFmt[] = "\"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')\",SQL"; static uchar template_StdPgSQLFmt[] = "\"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-pgsql%', '%timegenerated:::date-pgsql%', %iut%, '%syslogtag%')\",STDSQL"; diff --git a/template.c b/template.c index 844c5aec..627f8911 100644 --- a/template.c +++ b/template.c @@ -444,6 +444,8 @@ static void doOptions(unsigned char **pp, struct templateEntry *pTpe) pTpe->data.field.eCaseConv = tplCaseConvLower; } else if(!strcmp((char*)Buf, "uppercase")) { pTpe->data.field.eCaseConv = tplCaseConvUpper; + } else if(!strcmp((char*)Buf, "sp-if-no-1st-sp")) { + pTpe->data.field.options.bSPIffNo1stSP = 1; } else if(!strcmp((char*)Buf, "escape-cc")) { pTpe->data.field.options.bEscapeCC = 1; } else if(!strcmp((char*)Buf, "drop-cc")) { @@ -1013,6 +1015,15 @@ void tplPrintList(void) if(pTpe->data.field.options.bSpaceCC) { dbgprintf("[replace control-characters with space] "); } + if(pTpe->data.field.options.bSecPathDrop) { + dbgprintf("[slashes are dropped] "); + } + if(pTpe->data.field.options.bSecPathReplace) { + dbgprintf("[slashes are replaced by '_'] "); + } + if(pTpe->data.field.options.bSPIffNo1stSP) { + dbgprintf("[SP iff no first SP] "); + } if(pTpe->data.field.options.bDropLastLF) { dbgprintf("[drop last LF in msg] "); } diff --git a/template.h b/template.h index 5b0bcdb4..02264201 100644 --- a/template.h +++ b/template.h @@ -80,6 +80,7 @@ struct templateEntry { unsigned bDropLastLF: 1; /* drop last LF char in msg (PIX!) */ unsigned bSecPathDrop: 1; /* drop slashes, replace dots, empty string */ unsigned bSecPathReplace: 1; /* replace slashes, replace dots, empty string */ + unsigned bSPIffNo1stSP: 1; /* replace slashes, replace dots, empty string */ } options; /* options as bit fields */ } field; } data; -- cgit