From 548962d5193409f99b989dd38b691618f7970d04 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 4 Jul 2014 00:36:16 +0200 Subject: [PATCH] pmciscoios: skeleton & first rough implementation approach (yet incomplete) --- Makefile.am | 4 + configure.ac | 15 +++ plugins/pmciscoios/Makefile.am | 8 ++ plugins/pmciscoios/pmciscoios.c | 166 ++++++++++++++++++++++++++++++++ 4 files changed, 193 insertions(+) create mode 100644 plugins/pmciscoios/Makefile.am create mode 100644 plugins/pmciscoios/pmciscoios.c diff --git a/Makefile.am b/Makefile.am index 7bf96aa67..151bad5eb 100644 --- a/Makefile.am +++ b/Makefile.am @@ -130,6 +130,10 @@ if ENABLE_PMCISCONAMES SUBDIRS += plugins/pmcisconames endif +if ENABLE_PMCISCOIOS +SUBDIRS += plugins/pmciscoios +endif + if ENABLE_PMAIXFORWARDEDFROM SUBDIRS += plugins/pmaixforwardedfrom endif diff --git a/configure.ac b/configure.ac index 86602fea5..772546ce1 100644 --- a/configure.ac +++ b/configure.ac @@ -1277,6 +1277,19 @@ AC_ARG_ENABLE(pmcisconames, AM_CONDITIONAL(ENABLE_PMCISCONAMES, test x$enable_pmcisconames = xyes) +# settings for pmciscoios +AC_ARG_ENABLE(pmciscoios, + [AS_HELP_STRING([--enable-pmciscoios],[Compiles ciscoios parser module @<:@default=no@:>@])], + [case "${enableval}" in + yes) enable_pmciscoios="yes" ;; + no) enable_pmciscoios="no" ;; + *) AC_MSG_ERROR(bad value ${enableval} for --enable-pmciscoios) ;; + esac], + [enable_pmciscoios=no] +) +AM_CONDITIONAL(ENABLE_PMCISCOIOS, test x$enable_pmciscoios = xyes) + + # settings for pmaixforwardedfrom AC_ARG_ENABLE(pmaixforwardedfrom, [AS_HELP_STRING([--enable-pmaixforwardedfrom],[Compiles aixforwardedfrom parser module @<:@default=no@:>@])], @@ -1548,6 +1561,7 @@ AC_CONFIG_FILES([Makefile \ plugins/pmrfc3164sd/Makefile \ plugins/pmlastmsg/Makefile \ plugins/pmcisconames/Makefile \ + plugins/pmciscoios/Makefile \ plugins/pmsnare/Makefile \ plugins/pmaixforwardedfrom/Makefile \ plugins/omruleset/Makefile \ @@ -1639,6 +1653,7 @@ echo "---{ parser modules }---" echo " pmrfc3164sd module will be compiled: $enable_pmrfc3164sd" echo " pmlastmsg module will be compiled: $enable_pmlastmsg" echo " pmcisconames module will be compiled: $enable_pmcisconames" +echo " pmciscoios module will be compiled: $enable_pmciscoios" echo " pmaixforwardedfrom module w.be compiled: $enable_pmaixforwardedfrom" echo " pmsnare module will be compiled: $enable_pmsnare" echo diff --git a/plugins/pmciscoios/Makefile.am b/plugins/pmciscoios/Makefile.am new file mode 100644 index 000000000..23a08bafe --- /dev/null +++ b/plugins/pmciscoios/Makefile.am @@ -0,0 +1,8 @@ +pkglib_LTLIBRARIES = pmciscoios.la + +pmciscoios_la_SOURCES = pmciscoios.c +pmciscoios_la_CPPFLAGS = $(RSRT_CFLAGS) $(PTHREADS_CFLAGS) -I ../../tools +pmciscoios_la_LDFLAGS = -module -avoid-version +pmciscoios_la_LIBADD = + +EXTRA_DIST = diff --git a/plugins/pmciscoios/pmciscoios.c b/plugins/pmciscoios/pmciscoios.c new file mode 100644 index 000000000..1337e9060 --- /dev/null +++ b/plugins/pmciscoios/pmciscoios.c @@ -0,0 +1,166 @@ +/* pmrciscoios.c + * This is a parser module for CISCO IOS "syslog" format. + * + * File begun on 2014-07-07 by RGerhards + * + * Copyright 2014 Rainer Gerhards and Adiscon GmbH. + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "config.h" +#include "rsyslog.h" +#include +#include +#include +#include +#include +#include "syslogd.h" +#include "conf.h" +#include "syslogd-types.h" +#include "template.h" +#include "msg.h" +#include "module-template.h" +#include "glbl.h" +#include "errmsg.h" +#include "parser.h" +#include "datetime.h" +#include "unicode-helper.h" + +MODULE_TYPE_PARSER +MODULE_TYPE_NOKEEP +PARSER_NAME("rsyslog.ciscoios") + +/* internal structures */ +DEF_PMOD_STATIC_DATA +DEFobjCurrIf(errmsg) +DEFobjCurrIf(glbl) +DEFobjCurrIf(parser) +DEFobjCurrIf(datetime) + + +BEGINisCompatibleWithFeature +CODESTARTisCompatibleWithFeature + if(eFeat == sFEATUREAutomaticSanitazion) + iRet = RS_RET_OK; + if(eFeat == sFEATUREAutomaticPRIParsing) + iRet = RS_RET_OK; +ENDisCompatibleWithFeature + + +BEGINparse + uchar *p2parse; + long long msgcounter; + int lenMsg; + int i; /* general index for parsing */ + int j; /* index for target buffers */ + uchar bufParseTAG[512]; + uchar bufParseHOSTNAME[CONF_HOSTNAME_MAXSIZE]; /* used by origin */ +CODESTARTparse + DBGPRINTF("Message will now be parsed by pmciscoios\n"); + assert(pMsg != NULL); + assert(pMsg->pszRawMsg != NULL); + lenMsg = pMsg->iLenRawMsg - pMsg->offAfterPRI; /* note: offAfterPRI is already the number of PRI chars (do not add one!) */ + p2parse = pMsg->pszRawMsg + pMsg->offAfterPRI; /* point to start of text, after PRI */ + + /* first obtain the message counter. It must be numeric up until + * the ": " terminator sequence + */ + msgcounter = 0; + while(i < lenMsg && (p2parse[i] >= '0' && p2parse[i] <= '9') ) { + msgcounter = msgcounter * 10 + p2parse[i] - '0'; + ++i; + } + DBGPRINTF("pmciscoios: msgcntr %lld\n", msgcounter); + + /* delimiter check */ + if(i+1 >= lenMsg || p2parse[i] != ':' || p2parse[i] != ' ') + ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE); + i += 2; + + + /* now parse year */ + if(datetime.ParseTIMESTAMP3164(&(pMsg->tTIMESTAMP), &p2parse, &lenMsg) == RS_RET_OK) { + if(pMsg->dfltTZ[0] != '\0') + applyDfltTZ(&pMsg->tTIMESTAMP, pMsg->dfltTZ); + } else { + ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE); + } + + /* delimiter check */ + if(i+1 >= lenMsg || p2parse[i] != ':' || p2parse[i] != ' ') + ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE); + i += 2; + + /* parse syslog tag. must always start with '%', else we have a field mismatch */ + if(i >= lenMsg || p2parse[i] != '%') + ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE); + + + j = 0; + while(i < lenMsg && *p2parse != ':' && *p2parse != ' ' && i < (int) sizeof(bufParseTAG) - 2) { + bufParseTAG[j++] = p2parse[i]; + } + + /* delimiter check */ + if(i+1 >= lenMsg || p2parse[i] != ':' || p2parse[i] != ' ') + ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE); + + if(i < lenMsg && p2parse[i] == ':') { + ++i; + bufParseTAG[j++] = ':'; + } + bufParseTAG[j] = '\0'; /* terminate string */ + + /* if we reach this point, we have a wellformed message and can persist the values */ + MsgSetMSGoffs(pMsg, i); /* The unparsed rest is the actual MSG (for consistency, start it with SP) */ + setProtocolVersion(pMsg, MSG_LEGACY_PROTOCOL); + MsgSetTAG(pMsg, bufParseTAG, i); +finalize_it: +ENDparse + + +BEGINmodExit +CODESTARTmodExit + /* release what we no longer need */ + objRelease(errmsg, CORE_COMPONENT); + objRelease(glbl, CORE_COMPONENT); + objRelease(parser, CORE_COMPONENT); + objRelease(datetime, CORE_COMPONENT); +ENDmodExit + + +BEGINqueryEtryPt +CODESTARTqueryEtryPt +CODEqueryEtryPt_STD_PMOD_QUERIES +CODEqueryEtryPt_IsCompatibleWithFeature_IF_OMOD_QUERIES +ENDqueryEtryPt + + +BEGINmodInit(pmrfc3164) +CODESTARTmodInit + *ipIFVersProvided = CURR_MOD_IF_VERSION; /* we only support the current interface specification */ +CODEmodInit_QueryRegCFSLineHdlr + CHKiRet(objUse(glbl, CORE_COMPONENT)); + CHKiRet(objUse(errmsg, CORE_COMPONENT)); + CHKiRet(objUse(parser, CORE_COMPONENT)); + CHKiRet(objUse(datetime, CORE_COMPONENT)); + + DBGPRINTF("pmciscoios parser init called\n"); +ENDmodInit + +/* vim:set ai: + */