Re: [rsyslog] question about the parser interface.

Mon, 13 Dec 2010 20:46:39 -0800

If the message can be modified by the parser, I think this is appriximatly what is needed for the cisco problem.
I'm not sure exactly what to do to tie it in to the build system, so this one isn't even compile tested. 

David Lang

On Mon, 13 Dec 2010, [email protected] wrote:


Date: Mon, 13 Dec 2010 20:26:35 -0800 (PST)
From: [email protected]
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: [rsyslog] question about the parser interface.


Is it possible for a parser to just modify the input string and then let it 
fall through for another parser to handle the modified string?


I have two rather simple parsers I want to write that fall in this category

1. Cisco with name resolution

A cisco without name resolution turned on logs
<pri> timestamp IPaddr %tag msg

a cisco with name resolution turned on logs
<pri> timestamp name : %tag msg


I want to detect the bare : in the syslog field followed by the % at the 
start of the next tag, and if I find them, just memmove everything up (so 
that the % ends up where the : was, shortening the string by two characters), 
then let if fall through for normal processing.


2. AIX forwarding messages

AIX defaults to messages in the format

<pri> timestamp Message Forwarded From hostname syslogtag msg


I want to look for 'Message Forwarded From' starting in the hostname field, 
and if I find them, memmove everything up so that the hostname is in the 
right place, and again let everything fall through to the normal parser for 
handling.



I really don't want to have to duplicate the normal parser in each of these 
parsers as they are just (almost) trivial cleanups of the log message before 
it's handled normally.


David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

diff --git a/plugins/pmcisconames/Makefile.am b/plugins/pmcisconames/Makefile.am
new file mode 100644
index 0000000..16ed347
--- /dev/null
+++ b/plugins/pmcisconames/Makefile.am
@@ -0,0 +1,8 @@
+pkglib_LTLIBRARIES = pmcisconames.la
+
+pmcisconames_la_SOURCES = pmcisconames.c
+pmcisconames_la_CPPFLAGS =  $(RSRT_CFLAGS) $(PTHREADS_CFLAGS) -I ../../tools
+pmcisconames_la_LDFLAGS = -module -avoid-version
+pmcisconames_la_LIBADD = 
+
+EXTRA_DIST = 
diff --git a/plugins/pmcisconames/pmcisconames.c b/plugins/pmcisconames/pmcisconames.c
new file mode 100644
index 0000000..28fe33d
--- /dev/null
+++ b/plugins/pmcisconames/pmcisconames.c
@@ -0,0 +1,153 @@
+/* pmcisconames.c
+ *
+ * this detects logs sent by Cisco devices that mangle their syslog output when you tell them to log by name by adding ' :' between the name and the %XXX-X-XXXXXXX: tag
+ * 
+ * instead of actually parsing the message, this modifies the message and then falls through to allow a later parser to handle the now modified message
+ *
+ * created 2010-12-13 by David Lang based on pmlastmsg
+ *
+ * This file is part of rsyslog.
+ *
+ * Rsyslog is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Rsyslog is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Rsyslog.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * A copy of the GPL can be found in the file "COPYING" in this distribution.
+ */
+#include "config.h"
+#include "rsyslog.h"
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <ctype.h>
+#include "conf.h"
+#include "syslogd-types.h"
+#include "template.h"
+#include "msg.h"
+#include "module-template.h"
+#include "glbl.h"
+#include "errmsg.h"
+#include "parser.h"
+#include "datetime.h"
+#include "unicode-helper.h"
+
+MODULE_TYPE_PARSER
+PARSER_NAME("rsyslog.lastline")
+
+/* internal structures
+ */
+DEF_PMOD_STATIC_DATA
+DEFobjCurrIf(errmsg)
+DEFobjCurrIf(glbl)
+DEFobjCurrIf(parser)
+DEFobjCurrIf(datetime)
+
+
+/* static data */
+static int bParseHOSTNAMEandTAG;	/* cache for the equally-named global param - performance enhancement */
+
+
+BEGINisCompatibleWithFeature
+CODESTARTisCompatibleWithFeature
+	if(eFeat == sFEATUREAutomaticSanitazion)
+		iRet = RS_RET_OK;
+	if(eFeat == sFEATUREAutomaticPRIParsing)
+		iRet = RS_RET_OK;
+ENDisCompatibleWithFeature
+
+
+BEGINparse
+	uchar *p2parse;
+	int lenMsg;
+#define OpeningText ": %"
+CODESTARTparse
+	dbgprintf("Message will now be parsed by fix Cisco Names parser.\n");
+	assert(pMsg != NULL);
+	assert(pMsg->pszRawMsg != NULL);
+	lenMsg = pMsg->iLenRawMsg - pMsg->offAfterPRI; /* note: offAfterPRI is already the number of PRI chars (do not add one!) */
+	p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI; /* point to start of text, after PRI */
+
+	/* check if this message is of the type we handle in this (very limited) parser */
+	/* first, we permit SP */
+	while(lenMsg && *p2parse == ' ') {
+		--lenMsg;
+		++p2parse;
+	}
+dbgprintf("pmcisconames: msg to look at: [%d]'%s'\n", lenMsg, p2parse);
+	if((unsigned) lenMsg < 34) {
+		/* too short, can not be "our" message */
+                /* minimum message, 16 character timestamp, 1 character name, ' : %ASA-1-000000: '*/
+dbgprintf("msg too short!\n");
+		ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
+	}
+
+	/* skip over timestamp */
+	lenMsg -=16;
+	p2parse +=16;
+	/* now look for the next space to walk past the hostname */
+	while(lenMsg && *p2parse != ' ') {
+		--lenMsg;
+		++p2parse;
+	}
+	/* skip the space after the hostname */
+	lenMsg -=1;
+	p2parse +=1;
+        /* if the syslog tag is : and the next thing starts with a % assume that this is a mangled cisco log and fix it */
+	if(strncasecmp((char*) p2parse, OpeningText, sizeof(OpeningText)-1) != 0) {
+		/* wrong opening text */
+dbgprintf("not a cisco name mangled log!\n");
+		ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
+	}
+	/* bump the message portion up by two characters to overwrite the extra : */
+	memmove(p2parse, p2parse + 2, lenMsg - 2);
+	/* now, claim to abort so that something else can parse the now modified message */
+	DBGPRINTF("pmcisconames detected a mangled Cisco log message message\n");
+	ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
+
+finalize_it:
+ENDparse
+
+
+BEGINmodExit
+CODESTARTmodExit
+	/* release what we no longer need */
+	objRelease(errmsg, CORE_COMPONENT);
+	objRelease(glbl, CORE_COMPONENT);
+	objRelease(parser, CORE_COMPONENT);
+	objRelease(datetime, CORE_COMPONENT);
+ENDmodExit
+
+
+BEGINqueryEtryPt
+CODESTARTqueryEtryPt
+CODEqueryEtryPt_STD_PMOD_QUERIES
+CODEqueryEtryPt_IsCompatibleWithFeature_IF_OMOD_QUERIES
+ENDqueryEtryPt
+
+
+BEGINmodInit()
+CODESTARTmodInit
+	*ipIFVersProvided = CURR_MOD_IF_VERSION; /* we only support the current interface specification */
+CODEmodInit_QueryRegCFSLineHdlr
+	CHKiRet(objUse(glbl, CORE_COMPONENT));
+	CHKiRet(objUse(errmsg, CORE_COMPONENT));
+	CHKiRet(objUse(parser, CORE_COMPONENT));
+	CHKiRet(objUse(datetime, CORE_COMPONENT));
+
+	dbgprintf("lastmsg parser init called, compiled with version %s\n", VERSION);
+ 	bParseHOSTNAMEandTAG = glbl.GetParseHOSTNAMEandTAG(); /* cache value, is set only during rsyslogd option processing */
+
+
+ENDmodInit
+
+/* vim:set ai:
+ */

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com






















					Reply via email to