rsyslog/rsyslog
1
0
Fork 0
mirror of https://github.com/rsyslog/rsyslog.git synced 2025-12-13 04:50:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

testbench: refactor tests which used "nettester" tool

Browse Source 
Some old tests are carried out via the nettester tool. This was
our initial shot at a testbench a couple of years ago. While it
worked back then, the testbench framework has been much enhanced.
These old tests are nowadays very hard to handle, as they miss
debug support etc. So it is time to refactor them to new style.

As a side-activity, the testbench plumbing has been enhanced to
support some operations commonly needed by these tests. Contrary
to pre-existing plumbing, these new operations are now crafted
using bash functions, which we consider superior to the current
method. So this is also the start of converting the older-style
functionality into bash functions. We just did this now because
it was required and we entangled it into the test refactoring
because it was really needed. Else we had to write old-style
operations and convert them in another commit, which would
have been a waste of time.

Special thanks to Pascal Withopf for the initial step of taking
old tests and putting config as well as test data together into
the refactored tests, on which Rainer Gerhards than could build
to create the new tests and update testbench plumbing.
This commit is contained in:
Rainer Gerhards 2018-06-27 08:39:55 +02:00
parent b30367b146
commit abce4630d5
No known key found for this signature in database
GPG Key ID: 0CB6B2A8BE80B499
155 changed files with 2079 additions and 2129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

210
tests/Makefile.am
View File

@ -23,7 +23,7 @@ liboverride_getaddrinfo_la_CFLAGS =
liboverride_getaddrinfo_la_LDFLAGS = -avoid-version -shared
# TODO: reenable TESTRUNS = rt_init rscript
check_PROGRAMS = $(TESTRUNS) ourtail nettester tcpflood chkseq msleep randomgen \
check_PROGRAMS = $(TESTRUNS) ourtail tcpflood chkseq msleep randomgen \
diagtalker uxsockrcvr syslog_caller inputfilegen minitcpsrv \
omrelp_dflt_port \
mangle_qi \
@ -770,18 +770,50 @@ endif
if ENABLE_OMSTDOUT
TESTS += \
omod-if-array.sh \
omod-if-array-udp.sh \
threadingmq.sh \
threadingmqaq.sh \
badqi.sh
if ENABLE_IMPTCP
TESTS += \
tabescape_dflt.sh \
tabescape_dflt-udp.sh \
tabescape_off.sh \
timestamp.sh \
inputname.sh \
proprepltest.sh \
parsertest.sh \
fieldtest.sh
tabescape_off-udp.sh \
inputname-imtcp.sh \
parsertest-parse1.sh \
parsertest-parse1-udp.sh \
parsertest-parse2.sh \
parsertest-parse2-udp.sh \
parsertest-parse_8bit_escape.sh \
parsertest-parse_8bit_escape-udp.sh \
parsertest-parse3.sh \
parsertest-parse3-udp.sh \
parsertest-parse_invld_regex.sh \
parsertest-parse_invld_regex-udp.sh \
parsertest-parse-3164-buggyday.sh \
parsertest-parse-3164-buggyday-udp.sh \
parsertest-parse-nodate.sh \
parsertest-parse-nodate-udp.sh \
parsertest-snare_ccoff_udp.sh \
parsertest-snare_ccoff_udp2.sh \
fieldtest.sh \
fieldtest-udp.sh \
proprepltest-nolimittag-udp.sh \
proprepltest-nolimittag.sh \
proprepltest-rfctag-udp.sh \
proprepltest-rfctag.sh \
timestamp-3164-udp.sh \
timestamp-3164.sh \
timestamp-3339-udp.sh \
timestamp-3339.sh \
timestamp-mysql-udp.sh \
timestamp-mysql.sh \
timestamp-pgsql-udp.sh \
timestamp-pgsql.sh \
timestamp-subseconds-udp.sh \
timestamp-subseconds.sh
endif
endif
@ -793,7 +825,24 @@ endif
if ENABLE_PMSNARE
TESTS += \
pmsnare.sh
pmsnare-default.sh \
pmsnare-default-udp.sh \
pmsnare-ccoff.sh \
pmsnare-ccoff-udp.sh \
pmsnare-ccdefault.sh \
pmsnare-ccdefault-udp.sh \
pmsnare-cccstyle.sh \
pmsnare-cccstyle-udp.sh \
pmsnare-ccbackslash.sh \
pmsnare-ccbackslash-udp.sh \
pmsnare-modoverride.sh \
pmsnare-modoverride-udp.sh
endif
if ENABLE_PMLASTMSG
TESTS += \
pmlastmsg.sh \
pmlastmsg-udp.sh
endif
if ENABLE_EXTENDED_TESTS
@ -930,73 +979,6 @@ EXTRA_DIST= \
DevNull.cfgtest \
err1.rstest \
NoExistFile.cfgtest \
timestamp.sh \
testsuites/ts3164.conf \
testsuites/mon1digit.ts3164 \
testsuites/mon2digit.ts3164 \
testsuites/Jan.ts3164 \
testsuites/Feb.ts3164 \
testsuites/Mar.ts3164 \
testsuites/Apr.ts3164 \
testsuites/May.ts3164 \
testsuites/Jun.ts3164 \
testsuites/Jul.ts3164 \
testsuites/Aug.ts3164 \
testsuites/Sep.ts3164 \
testsuites/Oct.ts3164 \
testsuites/Nov.ts3164 \
testsuites/Dec.ts3164 \
testsuites/ts3339.conf \
testsuites/master.ts3339 \
testsuites/tsmysql.conf \
testsuites/master.tsmysql \
testsuites/tspgsql.conf \
testsuites/master.tspgsql \
testsuites/subsecond.conf \
testsuites/master.subsecond \
testsuites/parse_8bit_escape.conf \
testsuites/8bit.parse_8bit_escape \
testsuites/parse1.conf \
testsuites/field1.conf \
testsuites/1.parse1 \
testsuites/2.parse1 \
testsuites/3.parse1 \
testsuites/4.parse1 \
testsuites/mark.parse1 \
testsuites/8bit.parse1 \
testsuites/empty.parse1 \
testsuites/snare.parse1 \
testsuites/oversizeTag-1.parse1 \
testsuites/weird.parse1 \
testsuites/date1.parse1 \
testsuites/date2.parse1 \
testsuites/date3.parse1 \
testsuites/date4.parse1 \
testsuites/date5.parse1 \
testsuites/rfc3164.parse1 \
testsuites/rfc5424-1.parse1 \
testsuites/rfc5424-2.parse1 \
testsuites/rfc5424-3.parse1 \
testsuites/rfc5424-4.parse1 \
testsuites/malformed1.parse1 \
testsuites/reallife.parse1 \
testsuites/parse2.conf \
testsuites/reallife.parse2 \
testsuites/parse3.conf \
testsuites/reallife.parse3 \
testsuites/parse-nodate.conf \
testsuites/samples.parse-nodate \
testsuites/parse_invld_regex.conf \
testsuites/samples.parse_invld_regex \
testsuites/parse-3164-buggyday.conf \
testsuites/samples.parse-3164-buggyday \
testsuites/snare_ccoff_udp.conf \
testsuites/samples.snare_ccoff_udp \
testsuites/snare_ccoff_udp2.conf \
testsuites/samples.snare_ccoff_udp2 \
testsuites/omod-if-array.conf \
testsuites/1.omod-if-array \
testsuites/1.field1 \
tcp_forwarding_tpl.sh \
tcp_forwarding_ns_tpl.sh \
testsuites/tcp_forwarding_tpl.conf \
@ -1005,8 +987,38 @@ EXTRA_DIST= \
testsuites/tcp_forwarding_dflt_tpl.conf \
tcp_forwarding_retries.sh \
killrsyslog.sh \
parsertest.sh \
parsertest-parse1.sh \
parsertest-parse1-udp.sh \
parsertest-parse2.sh \
parsertest-parse2-udp.sh \
parsertest-parse_8bit_escape.sh \
parsertest-parse_8bit_escape-udp.sh \
parsertest-parse3.sh \
parsertest-parse3-udp.sh \
parsertest-parse_invld_regex.sh \
parsertest-parse_invld_regex-udp.sh \
parsertest-parse-3164-buggyday.sh \
parsertest-parse-3164-buggyday-udp.sh \
parsertest-parse-nodate.sh \
parsertest-parse-nodate-udp.sh \
parsertest-snare_ccoff_udp.sh \
parsertest-snare_ccoff_udp2.sh \
fieldtest.sh \
fieldtest-udp.sh \
proprepltest-nolimittag-udp.sh \
proprepltest-nolimittag.sh \
proprepltest-rfctag-udp.sh \
proprepltest-rfctag.sh \
timestamp-3164-udp.sh \
timestamp-3164.sh \
timestamp-3339-udp.sh \
timestamp-3339.sh \
timestamp-mysql-udp.sh \
timestamp-mysql.sh \
timestamp-pgsql-udp.sh \
timestamp-pgsql.sh \
timestamp-subseconds-udp.sh \
timestamp-subseconds.sh \
rsf_getenv.sh \
testsuites/rsf_getenv.conf \
diskq-rfc5424.sh \
@ -1361,12 +1373,9 @@ EXTRA_DIST= \
testsuites/imtcp_addtlframedelim.conf \
tcp-msgreduc-vg.sh \
testsuites/./tcp-msgreduc-vg.conf \
inputname.sh \
testsuites/inputname_imtcp.conf \
testsuites/1.inputname_imtcp_12514 \
testsuites/1.inputname_imtcp_12515 \
testsuites/1.inputname_imtcp_12516 \
inputname-imtcp.sh \
omod-if-array.sh \
omod-if-array-udp.sh \
discard.sh \
testsuites/discard.conf \
failover-no-rptd.sh \
@ -1603,11 +1612,6 @@ EXTRA_DIST= \
testsuites/dynfile_cachemiss.conf \
dynfile_invalid2.sh \
testsuites/dynfile_invalid2.conf \
proprepltest.sh \
testsuites/rfctag.conf \
testsuites/master.rfctag \
testsuites/nolimittag.conf \
testsuites/master.nolimittag \
rulesetmultiqueue.sh \
testsuites/rulesetmultiqueue.conf \
rulesetmultiqueue-v6.sh \
@ -1639,11 +1643,9 @@ EXTRA_DIST= \
execonlywhenprevsuspended-nonsusp-queue.sh \
testsuites/execonlywhenprevsuspended-nonsusp-queue.conf \
tabescape_dflt.sh \
testsuites/tabescape_dflt.conf \
testsuites/1.tabescape_dflt \
tabescape_dflt-udp.sh \
tabescape_off.sh \
testsuites/tabescape_off.conf \
testsuites/1.tabescape_off \
tabescape_off-udp.sh \
dircreate_dflt.sh \
testsuites/dircreate_dflt.conf \
dircreate_off.sh \
@ -1913,19 +1915,20 @@ EXTRA_DIST= \
testsuites/sndrcv_tls_priorityString_rcvr.conf \
omtcl.sh \
omtcl.tcl \
pmsnare.sh \
testsuites/pmsnare_default.conf \
testsuites/pmsnare_ccoff.conf \
testsuites/pmsnare_ccdefault.conf \
testsuites/pmsnare_cccstyle.conf \
testsuites/pmsnare_ccbackslash.conf \
testsuites/pmsnare_modoverride.conf \
testsuites/sample.pmsnare_default \
testsuites/sample.pmsnare_ccoff \
testsuites/sample.pmsnare_ccdefault \
testsuites/sample.pmsnare_cccstyle \
testsuites/sample.pmsnare_ccbackslash \
testsuites/sample.pmsnare_modoverride \
pmsnare-default.sh \
pmsnare-default-udp.sh \
pmsnare-ccoff.sh \
pmsnare-ccoff-udp.sh \
pmsnare-ccdefault.sh \
pmsnare-ccdefault-udp.sh \
pmsnare-cccstyle.sh \
pmsnare-cccstyle-udp.sh \
pmsnare-ccbackslash.sh \
pmsnare-ccbackslash-udp.sh \
pmsnare-modoverride.sh \
pmsnare-modoverride-udp.sh \
pmlastmsg.sh \
pmlastmsg-udp.sh \
testsuites/include-std-omfile-action.conf \
pgsql-basic.sh \
testsuites/pgsql-basic.sql \
@ -1996,9 +1999,6 @@ randomgen_LDADD = $(SOL_LIBS)
inputfilegen_SOURCES = inputfilegen.c
inputfilegen_LDADD = $(SOL_LIBS)
nettester_SOURCES = nettester.c getline.c
nettester_LDADD = $(SOL_LIBS)
# rtinit tests disabled for the moment - also questionable if they
# really provide value (after all, everything fails if rtinit fails...)
#rt_init_SOURCES = rt-init.c $(test_files)

39
tests/diag.sh
View File

@ -44,7 +44,8 @@ TB_TIMEOUT_STARTSTOP=400 # timeout for start/stop rsyslogd in tenths (!) of a se
# note that 40sec for the startup should be sufficient even on very slow machines. we changed this from 2min on 2017-12-12
export RSYSLOG_DEBUG_TIMEOUTS_TO_STDERR="on" # we want to know when we loose messages due to timeouts
# newer functionality is preferrably introduced via bash functions
# rgerhards, 2018-07-03
function rsyslog_testbench_test_url_access() {
local missing_requirements=
if ! hash curl 2>/dev/null ; then
@ -65,6 +66,42 @@ function rsyslog_testbench_test_url_access() {
fi
}
function setvar_RS_HOSTNAME() {
rm -f HOSTNAME
. $srcdir/diag.sh startup gethostname.conf
. $srcdir/diag.sh tcpflood -m1 -M "\"<128>\""
. $srcdir/diag.sh shutdown-when-empty # shut down rsyslogd when done processing messages
. $srcdir/diag.sh wait-shutdown # we need to wait until rsyslogd is finished!
export RS_HOSTNAME="$(cat HOSTNAME)"
echo HOSTNAME is: $RS_HOSTNAME
}
# compare file to expected exact content
# $1 is file to compare
function cmp_exact() {
if [ "$1" == "" ]; then
printf "Testbench ERROR, cmp_exact() needs filename as \$1\n"
. $srcdir/diag.sh error-exit 1
fi
if [ "$EXPECTED" == "" ]; then
printf "Testbench ERROR, cmp_exact() needs to have env var EXPECTED set!\n"
. $srcdir/diag.sh error-exit 1
fi
printf "%s\n" "$EXPECTED" | cmp - "$1"
if [ $? -ne 0 ]; then
echo "invalid response generated"
echo "################# $1 is:"
cat -n rsyslog.out.log
echo "################# EXPECTED was:"
printf "%s\n" "$EXPECTED" | cat -n -
printf "\n#################### diff is:\n"
printf "%s\n" "$EXPECTED" | diff - "$1"
. $srcdir/diag.sh error-exit 1
fi;
}
#START: ext kafka config
dep_cache_dir=$(readlink -f $srcdir/.dep_cache)
dep_zk_url=http://www-us.apache.org/dist/zookeeper/zookeeper-3.4.10/zookeeper-3.4.10.tar.gz

29
tests/fieldtest-udp.sh Executable file
View File

@ -0,0 +1,29 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%msg:F,32:2%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: DROP_url_www.sina.com.cn:IN=eth1 OUT=eth0 SRC=192.168.10.78 DST=61.172.201.194 LEN=1182 TOS=0x00 PREC=0x00 TTL=63 ID=14368 DF PROTO=TCP SPT=33343 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo 'DROP_url_www.sina.com.cn:IN=eth1' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

36
tests/fieldtest.sh
View File

@ -1,17 +1,29 @@
#!/bin/bash
echo \[fieldtest.sh\]: test fieldtest via udp
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
$srcdir/killrsyslog.sh # kill rsyslogd if it runs for some reason
. $srcdir/diag.sh generate-HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
./nettester -tfield1 -iudp
if [ "$?" -ne "0" ]; then
exit 1
fi
template(name="outfmt" type="string" string="%msg:F,32:2%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: DROP_url_www.sina.com.cn:IN=eth1 OUT=eth0 SRC=192.168.10.78 DST=61.172.201.194 LEN=1182 TOS=0x00 PREC=0x00 TTL=63 ID=14368 DF PROTO=TCP SPT=33343 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo 'DROP_url_www.sina.com.cn:IN=eth1' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
echo test fieldtest via tcp
./nettester -tfield1 -itcp
if [ "$?" -ne "0" ]; then
exit 1
fi
. $srcdir/diag.sh exit

36
tests/inputname-imtcp.sh Executable file
View File

@ -0,0 +1,36 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" name="12514" port="12514" ruleset="ruleset1")
input(type="imtcp" name="12515" port="12515" ruleset="ruleset1")
input(type="imtcp" name="12516" port="12516" ruleset="ruleset1")
template(name="outfmt" type="string" string="%inputname%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -p12514 -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: MSG\""
. $srcdir/diag.sh tcpflood -p12515 -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: MSG\""
. $srcdir/diag.sh tcpflood -p12516 -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: MSG\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '12514
12515
12516' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

24
tests/inputname.sh
View File

@ -1,24 +0,0 @@
#!/bin/bash
echo \[inputname.sh\]: testing $InputTCPServerInputName directive
. $srcdir/diag.sh init
. $srcdir/killrsyslog.sh # kill rsyslogd if it runs for some reason
. $srcdir/diag.sh generate-HOSTNAME
echo port 12514
./nettester -tinputname_imtcp_12514 -cinputname_imtcp -itcp -p12514
if [ "$?" -ne "0" ]; then
exit 1
fi
echo port 12515
./nettester -tinputname_imtcp_12515 -cinputname_imtcp -itcp -p12515
if [ "$?" -ne "0" ]; then
exit 1
fi
echo port 12516
./nettester -tinputname_imtcp_12516 -cinputname_imtcp -itcp -p12516
if [ "$?" -ne "0" ]; then
exit 1
fi
. $srcdir/diag.sh exit

674
tests/nettester.c
View File

@ -1,674 +0,0 @@
/* Runs a test suite on the rsyslog (and later potentially
* other things).
*
* The name of the test suite must be given as argv[1]. In this config,
* rsyslogd is loaded with config ./testsuites/<name>.conf and then
* test cases ./testsuites/ *.<name> are executed on it. This test driver is
* suitable for testing cases where a message sent (via UDP) results in
* exactly one response. It can not be used in cases where no response
* is expected (that would result in a hang of the test driver).
* Note: each test suite can contain many tests, but they all need to work
* with the same rsyslog configuration.
*
* Part of the testbench for rsyslog.
*
* Copyright 2009-2014 Rainer Gerhards and Adiscon GmbH.
*
* This file is part of rsyslog.
*
* Rsyslog is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Rsyslog is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Rsyslog. If not, see <http://www.gnu.org/licenses/>.
*
* A copy of the GPL can be found in the file "COPYING" in this distribution.
*/
#include "config.h"
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include <assert.h>
#include <unistd.h>
#include <string.h>
#include <glob.h>
#include <signal.h>
#include <netinet/in.h>
#include <getopt.h>
#include <errno.h>
#include <ctype.h>
#include <netdb.h>
#define EXIT_FAILURE 1
#define INVALID_SOCKET -1
/* Name of input file, must match $IncludeConfig in test suite .conf files */
#define NETTEST_INPUT_CONF_FILE "nettest.input.conf"
/* name of input file, must match $IncludeConfig in .conf files */
typedef enum { inputUDP, inputTCP } inputMode_t;
inputMode_t inputMode = inputTCP; /* input for which tests are to be run */
static pid_t rsyslogdPid = 0; /* pid of rsyslog instance being tested */
static char *srcdir; /* global $srcdir, set so that we can run outside of "make check" */
static char *testSuite = NULL; /* name of current test suite */
static int iPort = 12514; /* port which shall be used for sending data */
static char* pszCustomConf = NULL; /* custom config file, use -c conf to specify */
static int verbose = 0; /* verbose output? -v option */
static int IPv4Only = 0; /* use only IPv4 in rsyslogd call? */
static char **ourEnvp;
static char *ourHostName;
/* these two are quick hacks... */
int iFailed = 0;
int iTests = 0;
/* provide user-friednly name of input mode
*/
static char *inputMode2Str(inputMode_t mode)
{
char *pszMode;
if(mode == inputUDP)
pszMode = "udp";
else
pszMode = "tcp";
return pszMode;
}
void readLine(int fd, char *ln)
{
char *orig = ln;
char c;
int lenRead;
if(verbose)
fprintf(stderr, "begin readLine\n");
lenRead = read(fd, &c, 1);
while(lenRead == 1 && c != '\n') {
if(c == '\0') {
*ln = c;
fprintf(stderr, "Warning: there was a '\\0'-Byte in the read response "
"right after this string: '%s'\n", orig);
c = '?';
}
*ln++ = c;
lenRead = read(fd, &c, 1);
}
*ln = '\0';
if(lenRead < 0) {
fprintf(stderr, "read from rsyslogd returned with error '%s' - aborting test\n", strerror(errno));
exit(1);
}
if(verbose)
fprintf(stderr, "end readLine, val read '%s'\n", orig);
}
/* send a message via TCP
* We open the connection on the initial send, and never close it
* (let the OS do that). If a conneciton breaks, we do NOT try to
* recover, so all test after that one will fail (and the test
* driver probably hang. returns 0 if ok, something else otherwise.
* We use traditional framing '\n' at EOR for this tester. It may be
* worth considering additional framing modes.
* rgerhards, 2009-04-08
* Note: we re-create the socket within the retry loop, because this
* seems to be needed under Solaris. If we do not do that, we run
* into troubles (maybe something wrongly initialized then?)
* -- rgerhards, 2010-04-12
*/
int
tcpSend(char *buf, int lenBuf)
{
static int sock = INVALID_SOCKET;
struct sockaddr_in addr;
int retries;
int ret;
int iRet = 0; /* 0 OK, anything else error */
if(sock == INVALID_SOCKET) {
/* first time, need to connect to target */
retries = 0;
while(1) { /* loop broken inside */
/* first time, need to connect to target */
if((sock=socket(AF_INET, SOCK_STREAM, 0))==-1) {
perror("socket()");
iRet = 1;
goto finalize_it;
}
memset((char *) &addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(iPort);
if(inet_aton("127.0.0.1", &addr.sin_addr)==0) {
fprintf(stderr, "inet_aton() failed\n");
iRet = 1;
goto finalize_it;
}
if((ret = connect(sock, (struct sockaddr*)&addr, sizeof(addr))) == 0) {
break;
} else {
if(retries++ == 50) {
fprintf(stderr, "connect() failed\n");
iRet = 1;
goto finalize_it;
} else {
usleep(100000); /* ms = 1000 us! */
}
}
}
}
/* send test data */
if((ret = send(sock, buf, lenBuf, 0)) != lenBuf) {
perror("send test data");
fprintf(stderr, "send() failed, sock=%d, ret=%d\n", sock, ret);
iRet = 1;
goto finalize_it;
}
/* send record terminator */
if(send(sock, "\n", 1, 0) != 1) {
perror("send record terminator");
fprintf(stderr, "send() failed\n");
iRet = 1;
goto finalize_it;
}
finalize_it:
if(iRet != 0) {
/* need to do some (common) cleanup */
if(sock != INVALID_SOCKET) {
close(sock);
sock = INVALID_SOCKET;
}
++iFailed;
}
return iRet;
}
/* send a message via UDP
* returns 0 if ok, something else otherwise.
*/
int
udpSend(char *buf, int lenBuf)
{
struct sockaddr_in si_other;
int s, slen=sizeof(si_other);
if((s=socket(AF_INET, SOCK_DGRAM, 0))==-1) {
perror("socket()");
return(1);
}
memset((char *) &si_other, 0, sizeof(si_other));
si_other.sin_family = AF_INET;
si_other.sin_port = htons(iPort);
if(inet_aton("127.0.0.1", &si_other.sin_addr)==0) {
fprintf(stderr, "inet_aton() failed\n");
return(1);
}
if(sendto(s, buf, lenBuf, 0, (struct sockaddr*) &si_other, slen)==-1) {
perror("sendto");
fprintf(stderr, "sendto() failed\n");
return(1);
}
close(s);
return 0;
}
/* open pipe to test candidate - so far, this is
* always rsyslogd and with a fixed config. Later, we may
* change this. Returns 0 if ok, something else otherwise.
* rgerhards, 2009-03-31
*/
int openPipe(char *configFile, pid_t *pid, int *pfd)
{
int pipefd[2];
pid_t cpid;
char *newargv[] = {"../tools/rsyslogd", "dummy", "-C", "-n", "-irsyslog.pid",
"-M../runtime/.libs:../.libs", NULL, NULL};
char confFile[1024];
sprintf(confFile, "-f%s/testsuites/%s.conf", srcdir,
(pszCustomConf == NULL) ? configFile : pszCustomConf);
newargv[1] = confFile;
if(IPv4Only)
newargv[(sizeof(newargv)/sizeof(char*)) - 2] = "-4";
if (pipe(pipefd) == -1) {
perror("pipe");
fprintf(stderr, "error pipe\n");
exit(EXIT_FAILURE);
}
cpid = fork();
if (cpid == -1) {
perror("fork");
fprintf(stderr, "error fork\n");
exit(EXIT_FAILURE);
}
if(cpid == 0) { /* Child reads from pipe */
fclose(stdout);
if(dup(pipefd[1]) == -1) {
perror("dup");
fprintf(stderr, "error dup\n");
exit(1);
}
close(pipefd[1]);
close(pipefd[0]);
fclose(stdin);
execve("../tools/rsyslogd", newargv, ourEnvp);
} else {
usleep(10000);
close(pipefd[1]);
*pid = cpid;
*pfd = pipefd[0];
}
return(0);
}
/* This function unescapes a string of testdata. That it, escape sequences
* are converted into their one-character equivalent. While doing so, it applies
* C-like semantics. This was made necessary for easy integration of control
* characters inside test cases. -- rgerhards, 2009-03-11
* Currently supported:
* \\ single backslash
* \n, \t, \r as in C
* \nnn where nnn is a 1 to 3 character octal sequence
* Note that when a problem occurs, the end result is undefined. After all, this
* is for a testsuite generatort, it must not be 100% bullet proof (so do not
* copy this code into something that must be!). Also note that we do in-memory
* unescaping and assume that the string gets shorter but NEVER longer!
*/
void unescapeTestdata(char *testdata)
{
char *pDst;
char *pSrc;
int i;
int c;
pDst = pSrc = testdata;
while(*pSrc) {
if(*pSrc == '\\') {
switch(*++pSrc) {
case '\\': *pDst++ = *pSrc++;
break;
case 'n': *pDst++ = '\n';
++pSrc;
break;
case 'r': *pDst++ = '\r';
++pSrc;
break;
case 't': *pDst++ = '\t';
++pSrc;
break;
case '0':
case '1':
case '2':
case '3': c = *pSrc++ - '0';
i = 1; /* we already processed one digit! */
while(i < 3 && isdigit(*pSrc)) {
c = c * 8 + *pSrc++ - '0';
++i;
}
*pDst++ = c;
break;
default: break;
}
} else {
*pDst++ = *pSrc++;
}
}
*pDst = '\0';
}
/* A version of getline() that aborts on error. Primarily introduced
* to make the compiler happy.
*/
static void
getline_abort(char **lineptr, size_t *const n, FILE *stream)
{
if(getline(lineptr, n, stream) == -1) {
int e = errno;
if(!feof(stream)) {
perror("getline");
fprintf(stderr, "error %d getline\n", e);
exit(1);
}
}
}
/* expand variables in expected string. Here we use tilde (~) as expension
* character, because the more natural % is very common in syslog messages
* (and most importantly in the samples we currently have.
* Currently supported are:
* ~H - our hostname
* Note: yes, there are vulns in this code. Doesn't matter, as it is a
* quick and dirty test program, NOT intended to be used in any production!
*/
static void
doVarsInExpected(char **pe)
{
char *n, *newBase;
char *e = *pe;
n = newBase = malloc(strlen(e) + 1024); /* we simply say "sufficient" */
while(*e) {
if(*e == '~') {
++e;
if(*e == 'H') {
++e;
char *hn = ourHostName;
while(*hn)
*n++ = *hn++;
} else {
*n++ = '?';
++e;
}
} else if(*e == '\\') {
++e; /* skip */
*n++ = *e++;
} else {
*n++ = *e++;
}
}
*n = '\0';
free(*pe);
*pe = newBase;
}
/* Process a specific test case. File name is provided.
* Needs to return 0 if all is OK, something else otherwise.
*/
int
processTestFile(int fd, char *pszFileName)
{
FILE *fp;
char *testdata = NULL;
char *expected = NULL;
int ret = 0;
size_t lenLn;
char buf[4096];
if((fp = fopen((char*)pszFileName, "r")) == NULL) {
perror((char*)pszFileName);
return(2);
}
/* skip comments at start of file */
while(!feof(fp)) {
getline_abort(&testdata, &lenLn, fp);
while(!feof(fp)) {
if(*testdata == '#')
getline_abort(&testdata, &lenLn, fp);
else
break; /* first non-comment */
}
/* this is not perfect, but works ;) */
if(feof(fp))
break;
++iTests; /* increment test count, we now do one! */
testdata[strlen(testdata)-1] = '\0'; /* remove \n */
/* now we have the test data to send (we could use function pointers here...) */
unescapeTestdata(testdata);
if(inputMode == inputUDP) {
if(udpSend(testdata, strlen(testdata)) != 0)
return(2);
} else {
if(tcpSend(testdata, strlen(testdata)) != 0)
return(2);
}
/* next line is expected output
* we do not care about EOF here, this will lead to a failure and thus
* draw enough attention. -- rgerhards, 2009-03-31
*/
getline_abort(&expected, &lenLn, fp);
expected[strlen(expected)-1] = '\0'; /* remove \n */
doVarsInExpected(&expected);
/* pull response from server and then check if it meets our expectation */
readLine(fd, buf);
if(strlen(buf) == 0) {
fprintf(stderr, "something went wrong - read a zero-length string from rsyslogd\n");
exit(1);
}
if(strcmp(expected, buf)) {
++iFailed;
fprintf(stderr, "\nFile %s:\nExpected Response:\n'%s'\nActual Response:\n'%s'\n",
pszFileName, expected, buf);
ret = 1;
}
/* we need to free buffers, as we have potentially modified them! */
free(testdata);
testdata = NULL;
free(expected);
expected = NULL;
}
fclose(fp);
return(ret);
}
/* carry out all tests. Tests are specified via a file name
* wildcard. Each of the files is read and the test carried
* out.
* Returns the number of tests that failed. Zero means all
* success.
*/
int
doTests(int fd, char *files)
{
int ret;
char *testFile;
glob_t testFiles;
size_t i = 0;
struct stat fileInfo;
glob(files, GLOB_MARK, NULL, &testFiles);
for(i = 0; i < testFiles.gl_pathc; i++) {
testFile = testFiles.gl_pathv[i];
if(stat((char*) testFile, &fileInfo) != 0)
continue; /* continue with the next file if we can't stat() the file */
/* all regular files are run through the test logic. Symlinks don't work. */
if(S_ISREG(fileInfo.st_mode)) { /* config file */
if(verbose) fprintf(stderr, "processing test case '%s' ... ", testFile);
ret = processTestFile(fd, testFile);
if(ret == 0) {
if(verbose) fprintf(stderr, "successfully completed\n");
} else {
if(!verbose)
fprintf(stderr, "test '%s' ", testFile);
fprintf(stderr, "failed!\n");
}
}
}
globfree(&testFiles);
if(iTests == 0) {
fprintf(stderr, "Error: no test cases found, no tests executed.\n");
iFailed = 1;
} else {
fprintf(stderr, "Number of tests run: %3d, number of failures: %d, test: %s/%s\n",
iTests, iFailed, testSuite, inputMode2Str(inputMode));
}
return(iFailed);
}
/* indicate that our child has died (where it is not permitted to!).
*/
void childDied(__attribute__((unused)) int sig)
{
fprintf(stderr, "ERROR: child died unexpectedly (maybe a segfault?)!\n");
exit(1);
}
/* cleanup */
void doAtExit(void)
{
int status;
/* disarm died-child handler */
signal(SIGCHLD, SIG_IGN);
if(rsyslogdPid != 0) {
kill(rsyslogdPid, SIGTERM);
waitpid(rsyslogdPid, &status, 0); /* wait until instance terminates */
}
unlink(NETTEST_INPUT_CONF_FILE);
}
/* Note: the HOSTNAME file must have been pre-generated */
static void
getHostname(void)
{
size_t dummy;
FILE *fp;
if((fp = fopen("HOSTNAME", "r")) == NULL) {
perror("HOSTNAME");
fprintf(stderr, "error opening HOSTNAME configuration file\n");
exit(1);
}
getline_abort(&ourHostName, &dummy, fp);
fclose(fp);
}
/* Run the test suite. This must be called with exactly one parameter, the
* name of the test suite. For details, see file header comment at the top
* of this file.
* rgerhards, 2009-04-03
*/
int main(int argc, char *argv[], char *envp[])
{
int fd;
int opt;
int ret = 0;
FILE *fp;
char buf[4096];
char testcases[4096];
ourEnvp = envp;
getHostname();
while((opt = getopt(argc, argv, "4c:i:p:t:v")) != EOF) {
switch((char)opt) {
case '4':
IPv4Only = 1;
break;
case 'c':
pszCustomConf = optarg;
break;
case 'i':
if(!strcmp(optarg, "udp"))
inputMode = inputUDP;
else if(!strcmp(optarg, "tcp"))
inputMode = inputTCP;
else {
fprintf(stderr, "error: unsupported input mode '%s'\n", optarg);
exit(1);
}
break;
case 'p':
iPort = atoi(optarg);
break;
case 't':
testSuite = optarg;
break;
case 'v':
verbose = 1;
break;
default:fprintf(stderr, "Invalid call of nettester, invalid option '%c'.\n", opt);
fprintf(stderr, "Usage: nettester -d -ttestsuite-name -iudp|tcp [-pport] "
"[-ccustomConfFile] \n");
exit(1);
}
}
if(testSuite == NULL) {
fprintf(stderr, "error: no testsuite given, need to specify -t testsuite!\n");
exit(1);
}
atexit(doAtExit);
if((srcdir = getenv("srcdir")) == NULL)
srcdir = ".";
if(verbose) fprintf(stderr, "Start of nettester run ($srcdir=%s, testsuite=%s, input=%s/%d)\n",
srcdir, testSuite, inputMode2Str(inputMode), iPort);
/* create input config file */
if((fp = fopen(NETTEST_INPUT_CONF_FILE, "w")) == NULL) {
perror(NETTEST_INPUT_CONF_FILE);
fprintf(stderr, "error opening input configuration file\n");
exit(1);
}
if(inputMode == inputUDP) {
fputs("$ModLoad ../plugins/imudp/.libs/imudp\n", fp);
fprintf(fp, "$UDPServerRun %d\n", iPort);
} else {
fputs("$ModLoad ../plugins/imtcp/.libs/imtcp\n", fp);
fprintf(fp, "$InputTCPServerRun %d\n", iPort);
}
fclose(fp);
/* arm died-child handler */
signal(SIGCHLD, childDied);
/* make sure we do not abort if there is an issue with pipes.
* our code does the necessary error handling.
*/
sigset(SIGPIPE, SIG_IGN);
/* start to be tested rsyslogd */
openPipe(testSuite, &rsyslogdPid, &fd);
readLine(fd, buf);
/* generate filename */
sprintf(testcases, "%s/testsuites/*.%s", srcdir, testSuite);
if(doTests(fd, testcases) != 0)
ret = 1;
if(verbose) fprintf(stderr, "End of nettester run (%d).\n", ret);
exit(ret);
}

29
tests/omod-if-array-udp.sh Executable file
View File

@ -0,0 +1,29 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%PRI%%timestamp%%hostname%%programname%%syslogtag%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '167Mar 6 16:57:54172.20.245.8%PIX-7-710005%PIX-7-710005:' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

40
tests/omod-if-array.sh
View File

@ -1,19 +1,29 @@
#!/bin/bash
echo \[omod-if-array.sh\]: test omod-if-array via udp
echo NOTE: the interface checked with this test is currently NOT
echo supported. We may support it again in the future. So for now\,
echo we just skip this test and do not remove it.
exit 77
$srcdir/killrsyslog.sh # kill rsyslogd if it runs for some reason
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
./nettester -tomod-if-array -iudp -p4711
if [ "$?" -ne "0" ]; then
exit 1
fi
template(name="outfmt" type="string" string="%PRI%%timestamp%%hostname%%programname%%syslogtag%\n")
echo test omod-if-array via tcp
./nettester -tomod-if-array -itcp
if [ "$?" -ne "0" ]; then
exit 1
fi
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '167Mar 6 16:57:54172.20.245.8%PIX-7-710005%PIX-7-710005:' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

32
tests/parsertest-parse-3164-buggyday-udp.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%timestamp:::date-rfc3164-buggyday%,%hostname%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<38> Mar 7 19:06:53 example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<38> Mar 17 19:06:53 example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '38,auth,info,Mar 07 19:06:53,example,tag,tag:, testmessage (only date actually tested)
38,auth,info,Mar 17 19:06:53,example,tag,tag:, testmessage (only date actually tested)' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

32
tests/parsertest-parse-3164-buggyday.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%timestamp:::date-rfc3164-buggyday%,%hostname%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<38> Mar 7 19:06:53 example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<38> Mar 17 19:06:53 example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '38,auth,info,Mar 07 19:06:53,example,tag,tag:, testmessage (only date actually tested)
38,auth,info,Mar 17 19:06:53,example,tag,tag:, testmessage (only date actually tested)' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

28
tests/parsertest-parse-nodate-udp.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
setvar_RS_HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%hostname%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<27>xapi: [error|xen3|15|Guest liveness monitor D:bca30ab3f1c1|master_connection] Connection to master died. I will continue to retry indefinitely (supressing future logging of this message)\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"This is a message!\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED="27,daemon,err,$RS_HOSTNAME,xapi,xapi:, [error|xen3|15|Guest liveness monitor D:bca30ab3f1c1|master_connection] Connection to master died. I will continue to retry indefinitely (supressing future logging of this message)
13,user,notice,This,is,is, a message!"
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

27
tests/parsertest-parse-nodate.sh Executable file
View File

@ -0,0 +1,27 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
setvar_RS_HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%hostname%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<27>xapi: [error|xen3|15|Guest liveness monitor D:bca30ab3f1c1|master_connection] Connection to master died. I will continue to retry indefinitely (supressing future logging of this message)\""
. $srcdir/diag.sh tcpflood -m1 -M "\"This is a message!\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED="27,daemon,err,$RS_HOSTNAME,xapi,xapi:, [error|xen3|15|Guest liveness monitor D:bca30ab3f1c1|master_connection] Connection to master died. I will continue to retry indefinitely (supressing future logging of this message)
13,user,notice,This,is,is, a message!"
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

83
tests/parsertest-parse1-udp.sh Executable file
View File

@ -0,0 +1,83 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
setvar_RS_HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
global(localHostname="localhost")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%timestamp%,%hostname%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 27 19:06:53 source_server sshd(pam_unix)[12750]: session opened for user foo by (uid=0)\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Apr 6 15:07:10 lxcvs07 sshd(pam_unix)[31738]: session closed for user cvsadmin\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Jul 31 21:39:21 example-b example-gw[10538]: disconnect host=/192.0.2.1 destination=192.0.2.2/11282 in=3274 out=1448 duration=0\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>AUG 10 22:18:24 host tag This msg contains 8-bit European chars: äöü\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167> Mar 7 19:06:53 example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 7 2008 19:06:53: example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 7 2008 19:06:53 example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 7 19:06:53: example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>Jan 6 2009 15:22:26 localhost\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Oct 8 23:05:06 10.321.1.123 05\\\",result_code=200,b\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Feb 18 16:01:59 serverX -- MARK --\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"Feb 18 16:01:59 serverX -- MARK --\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<38>Mar 27 19:06:53 source_server 0123456789012345678901234567890123456789: MSG part\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<29>Oct 16 20:47:24 example-p exam-pl[12345]: connect host= /192.0.2.1\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<34>Oct 11 22:14:15 mymachine su: su root failed for lonvick on /dev/pts/8\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOMsu root failed for lonvick on /dev/pts/8\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<165>1 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - %% Its time to make the do-nuts.\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut=\\\"3\\\" eventSource= \\\"Application\\\" eventID=\\\"1011\\\"][examplePriority@32473 class=\\\"high\\\"]\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut=\\\"3\\\" eventSource= \\\"Application\\\" eventID=\\\"1011\\\"] BOMAn application event log entry...\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<6>AUG 10 22:18:24 2009 netips-warden2-p [audit] user=[*SMS] src=192.168.11.11 iface=5 access=9 Update State Reset\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>Aug 30 23:00:05 X4711 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>Aug 30 23:00:05 X4711 \""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>Aug 30 23:00:05 X4711\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>Aug 30 23:00:05 \""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>Aug 30 23:00:05\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>2010-08-30T23:00:05Z X4711 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>2010-08-30T23:00:05Z X4711 \""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>2010-08-30T23:00:05Z X4711\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED="167,local4,debug,Mar 6 16:57:54,172.20.245.8,%PIX-7-710005,%PIX-7-710005:, UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601
167,local4,debug,Mar 27 19:06:53,source_server,sshd(pam_unix),sshd(pam_unix)[12750]:, session opened for user foo by (uid=0)
167,local4,debug,Apr 6 15:07:10,lxcvs07,sshd(pam_unix),sshd(pam_unix)[31738]:, session closed for user cvsadmin
167,local4,debug,Jul 31 21:39:21,example-b,example-gw,example-gw[10538]:, disconnect host=/192.0.2.1 destination=192.0.2.2/11282 in=3274 out=1448 duration=0
167,local4,debug,Aug 10 22:18:24,host,tag,tag, This msg contains 8-bit European chars: äöü
167,local4,debug,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
167,local4,debug,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
167,local4,debug,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
167,local4,debug,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
14,user,info,Jan 6 15:22:26,localhost,,,
167,local4,debug,Oct 8 23:05:06,10.321.1.123,05\",result_code=200,b,05\",result_code=200,b,
167,local4,debug,Feb 18 16:01:59,serverX,--,--, MARK --
13,user,notice,Feb 18 16:01:59,serverX,--,--, MARK --
38,auth,info,Mar 27 19:06:53,source_server,0123456789012345678901234567890123456789,0123456789012345678901234567890123456789:, MSG part
29,daemon,notice,Oct 16 20:47:24,example-p,exam-pl,exam-pl[12345]:, connect host= /192.0.2.1
34,auth,crit,Oct 11 22:14:15,mymachine,su,su:, su root failed for lonvick on /dev/pts/8
34,auth,crit,Oct 11 22:14:15,mymachine.example.com,,su,BOMsu root failed for lonvick on /dev/pts/8
165,local4,notice,Aug 24 05:14:15,192.0.2.1,,myproc[8710],%% Its time to make the do-nuts.
165,local4,notice,Oct 11 22:14:15,mymachine.example.com,,evntslog,
165,local4,notice,Oct 11 22:14:15,mymachine.example.com,,evntslog,BOMAn application event log entry...
6,kern,info,Aug 10 22:18:24,2009,,, netips-warden2-p [audit] user=[*SMS] src=192.168.11.11 iface=5 access=9 Update State Reset
14,user,info,Aug 30 23:00:05,X4711,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,
14,user,info,Aug 30 23:00:05,X4711,,,
14,user,info,Aug 30 23:00:05,X4711,,,
14,user,info,Aug 30 23:00:05,$RS_HOSTNAME,,,
14,user,info,Aug 30 23:00:05,$RS_HOSTNAME,,,
14,user,info,Aug 30 23:00:05,X4711,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,
14,user,info,Aug 30 23:00:05,X4711,,,
14,user,info,Aug 30 23:00:05,X4711,,,"
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

82
tests/parsertest-parse1.sh Executable file
View File

@ -0,0 +1,82 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
setvar_RS_HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%timestamp%,%hostname%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 27 19:06:53 source_server sshd(pam_unix)[12750]: session opened for user foo by (uid=0)\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Apr 6 15:07:10 lxcvs07 sshd(pam_unix)[31738]: session closed for user cvsadmin\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Jul 31 21:39:21 example-b example-gw[10538]: disconnect host=/192.0.2.1 destination=192.0.2.2/11282 in=3274 out=1448 duration=0\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>AUG 10 22:18:24 host tag This msg contains 8-bit European chars: äöü\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167> Mar 7 19:06:53 example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 7 2008 19:06:53: example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 7 2008 19:06:53 example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 7 19:06:53: example tag: testmessage (only date actually tested)\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>Jan 6 2009 15:22:26 localhost\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Oct 8 23:05:06 10.321.1.123 05\\\",result_code=200,b\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Feb 18 16:01:59 serverX -- MARK --\""
. $srcdir/diag.sh tcpflood -m1 -M "\"Feb 18 16:01:59 serverX -- MARK --\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<38>Mar 27 19:06:53 source_server 0123456789012345678901234567890123456789: MSG part\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<29>Oct 16 20:47:24 example-p exam-pl[12345]: connect host= /192.0.2.1\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<34>Oct 11 22:14:15 mymachine su: su root failed for lonvick on /dev/pts/8\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOMsu root failed for lonvick on /dev/pts/8\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<165>1 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - %% Its time to make the do-nuts.\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut=\\\"3\\\" eventSource= \\\"Application\\\" eventID=\\\"1011\\\"][examplePriority@32473 class=\\\"high\\\"]\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut=\\\"3\\\" eventSource= \\\"Application\\\" eventID=\\\"1011\\\"] BOMAn application event log entry...\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<6>AUG 10 22:18:24 2009 netips-warden2-p [audit] user=[*SMS] src=192.168.11.11 iface=5 access=9 Update State Reset\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>Aug 30 23:00:05 X4711 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>Aug 30 23:00:05 X4711 \""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>Aug 30 23:00:05 X4711\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>Aug 30 23:00:05 \""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>Aug 30 23:00:05\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>2010-08-30T23:00:05Z X4711 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>2010-08-30T23:00:05Z X4711 \""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>2010-08-30T23:00:05Z X4711\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED="167,local4,debug,Mar 6 16:57:54,172.20.245.8,%PIX-7-710005,%PIX-7-710005:, UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601
167,local4,debug,Mar 27 19:06:53,source_server,sshd(pam_unix),sshd(pam_unix)[12750]:, session opened for user foo by (uid=0)
167,local4,debug,Apr 6 15:07:10,lxcvs07,sshd(pam_unix),sshd(pam_unix)[31738]:, session closed for user cvsadmin
167,local4,debug,Jul 31 21:39:21,example-b,example-gw,example-gw[10538]:, disconnect host=/192.0.2.1 destination=192.0.2.2/11282 in=3274 out=1448 duration=0
167,local4,debug,Aug 10 22:18:24,host,tag,tag, This msg contains 8-bit European chars: äöü
167,local4,debug,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
167,local4,debug,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
167,local4,debug,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
167,local4,debug,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
14,user,info,Jan 6 15:22:26,localhost,,,
167,local4,debug,Oct 8 23:05:06,10.321.1.123,05\",result_code=200,b,05\",result_code=200,b,
167,local4,debug,Feb 18 16:01:59,serverX,--,--, MARK --
13,user,notice,Feb 18 16:01:59,serverX,--,--, MARK --
38,auth,info,Mar 27 19:06:53,source_server,0123456789012345678901234567890123456789,0123456789012345678901234567890123456789:, MSG part
29,daemon,notice,Oct 16 20:47:24,example-p,exam-pl,exam-pl[12345]:, connect host= /192.0.2.1
34,auth,crit,Oct 11 22:14:15,mymachine,su,su:, su root failed for lonvick on /dev/pts/8
34,auth,crit,Oct 11 22:14:15,mymachine.example.com,,su,BOMsu root failed for lonvick on /dev/pts/8
165,local4,notice,Aug 24 05:14:15,192.0.2.1,,myproc[8710],%% Its time to make the do-nuts.
165,local4,notice,Oct 11 22:14:15,mymachine.example.com,,evntslog,
165,local4,notice,Oct 11 22:14:15,mymachine.example.com,,evntslog,BOMAn application event log entry...
6,kern,info,Aug 10 22:18:24,2009,,, netips-warden2-p [audit] user=[*SMS] src=192.168.11.11 iface=5 access=9 Update State Reset
14,user,info,Aug 30 23:00:05,X4711,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,
14,user,info,Aug 30 23:00:05,X4711,,,
14,user,info,Aug 30 23:00:05,X4711,,,
14,user,info,Aug 30 23:00:05,$RS_HOSTNAME,,,
14,user,info,Aug 30 23:00:05,$RS_HOSTNAME,,,
14,user,info,Aug 30 23:00:05,X4711,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,
14,user,info,Aug 30 23:00:05,X4711,,,
14,user,info,Aug 30 23:00:05,X4711,,,"
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

31
tests/parsertest-parse2-udp.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
global(localHostname="localhost")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%timestamp%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<175>Oct 16 23:47:31 #001 MSWinEventLog 0#011Security#01119023582#011Fri Oct 16 16:30:44 2009#011592#011Security#011rgabcde#011User#011Success Audit#011XSXSXSN01#011Detailed Tracking#011#0112572#01119013885\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '175,local5,debug,Oct 16 23:47:31,#001,#001, MSWinEventLog 0#011Security#01119023582#011Fri Oct 16 16:30:44 2009#011592#011Security#011rgabcde#011User#011Success Audit#011XSXSXSN01#011Detailed Tracking#011#0112572#01119013885' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

31
tests/parsertest-parse2.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
global(localHostname="localhost")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%timestamp%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<175>Oct 16 23:47:31 #001 MSWinEventLog 0#011Security#01119023582#011Fri Oct 16 16:30:44 2009#011592#011Security#011rgabcde#011User#011Success Audit#011XSXSXSN01#011Detailed Tracking#011#0112572#01119013885\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '175,local5,debug,Oct 16 23:47:31,#001,#001, MSWinEventLog 0#011Security#01119023582#011Fri Oct 16 16:30:44 2009#011592#011Security#011rgabcde#011User#011Success Audit#011XSXSXSN01#011Detailed Tracking#011#0112572#01119013885' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

32
tests/parsertest-parse3-udp.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%timereported:1:19:date-rfc3339,csv%, %hostname:::csv%, %programname:::csv%, %syslogtag:R,ERE,0,BLANK:[0-9]+--end:csv%, %syslogseverity:::csv%, %msg:::drop-last-lf,csv%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<175>Oct 16 2009 23:47:31 hostname tag This is a message\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<175>Oct 16 2009 23:47:31 hostname tag[1234] This is a message\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '"2009-10-16T23:47:31", "hostname", "tag", "", "7", " This is a message"
"2009-10-16T23:47:31", "hostname", "tag", "1234", "7", " This is a message"' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

32
tests/parsertest-parse3.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%timereported:1:19:date-rfc3339,csv%, %hostname:::csv%, %programname:::csv%, %syslogtag:R,ERE,0,BLANK:[0-9]+--end:csv%, %syslogseverity:::csv%, %msg:::drop-last-lf,csv%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<175>Oct 16 2009 23:47:31 hostname tag This is a message\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<175>Oct 16 2009 23:47:31 hostname tag[1234] This is a message\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '"2009-10-16T23:47:31", "hostname", "tag", "", "7", " This is a message"
"2009-10-16T23:47:31", "hostname", "tag", "1234", "7", " This is a message"' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

31
tests/parsertest-parse_8bit_escape-udp.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/bash
# add 2018-06-28 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
$Escape8BitCharactersOnReceive on
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%timestamp%,%hostname%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<6>AUG 10 22:18:24 host tag This msg contains 8-bit European chars: äöü\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '6,kern,info,Aug 10 22:18:24,host,tag,tag, This msg contains 8-bit European chars: #303#244#303#266#303#274' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

31
tests/parsertest-parse_8bit_escape.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/bash
# add 2018-06-28 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
$Escape8BitCharactersOnReceive on
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%timestamp%,%hostname%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<6>AUG 10 22:18:24 host tag This msg contains 8-bit European chars: äöü\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '6,kern,info,Aug 10 22:18:24,host,tag,tag, This msg contains 8-bit European chars: #303#244#303#266#303#274' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

30
tests/parsertest-parse_invld_regex-udp.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# add 2018-06-28 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%timereported:1:19:date-rfc3339,csv%, %hostname:::csv%, %programname:::csv%, %syslogtag:R,ERE,0,BLANK:[0-9+--end:csv%, %syslogseverity:::csv%, %msg:::drop-last-lf,csv%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<175>Feb 08 2008 23:47:31 hostname tag This is a message\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '"2008-02-08T23:47:31", "hostname", "tag", **NO MATCH** **BAD REGULAR EXPRESSION**, "7", " This is a message"' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

30
tests/parsertest-parse_invld_regex.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# add 2018-06-28 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%timereported:1:19:date-rfc3339,csv%, %hostname:::csv%, %programname:::csv%, %syslogtag:R,ERE,0,BLANK:[0-9+--end:csv%, %syslogseverity:::csv%, %msg:::drop-last-lf,csv%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<175>Feb 08 2008 23:47:31 hostname tag This is a message\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '"2008-02-08T23:47:31", "hostname", "tag", **NO MATCH** **BAD REGULAR EXPRESSION**, "7", " This is a message"' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

28
tests/parsertest-snare_ccoff_udp.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
setvar_RS_HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
$EscapeControlCharactersOnReceive off
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%hostname%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"windowsserver MSWinEventLog 1 Security 1167 Fri Mar 19 15:33:30 2010 540 Security SYSTEM User Success Audit WINDOWSSERVER Logon/Logoff Successful Network Logon: User Name: WINDOWSSERVER$ Domain: DOMX Logon ID: (0x0,0xF88396) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {79b6eb79-7bcc-8a2e-7dad-953c51dc00fd} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.11.11.3 Source Port: 3306 733\\\n\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED="13,user,notice,$RS_HOSTNAME,windowsserver,windowsserver MSWinEventLog 1 Security 1167 Fri, Mar 19 15:33:30 2010 540 Security SYSTEM User Success Audit WINDOWSSERVER Logon/Logoff Successful Network Logon: User Name: WINDOWSSERVER$ Domain: DOMX Logon ID: (0x0,0xF88396) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {79b6eb79-7bcc-8a2e-7dad-953c51dc00fd} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.11.11.3 Source Port: 3306 733\n"
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

32
tests/parsertest-snare_ccoff_udp2.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
setvar_RS_HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
$EscapeControlCharactersOnReceive off
template(name="outfmt" type="string" string="insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (%msg:::space-cc%, %syslogfacility%, %HOSTNAME%,%syslogpriority%, 20100321185328, 20100321185328, %iut%, %syslogtag:::space-cc%)\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"test\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"UX=Abcd-efg-hij-klmno; XXXXX=1111111111, Z123=192.12.231.245:11111, S1234=123456789, XXXXXX=111111111\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"windowsserver MSWinEventLog 1 Security 1167 Fri Mar 19 15:33:30 2010 540 Security SYSTEM User Success Audit WINDOWSSERVER Logon/Logoff Successful Network Logon: User Name: WINDOWSSERVER$ Domain: DOMX Logon ID: (0x0,0xF88396) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {79b6eb79-7bcc-8a2e-7dad-953c51dc00fd} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.11.11.3 Source Port: 3306 733\\\n\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED="insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (, 1, test,5, 20100321185328, 20100321185328, 1, )
insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ( XXXXX=1111111111, Z123=192.12.231.245:11111, S1234=123456789, XXXXXX=111111111, 1, $RS_HOSTNAME,5, 20100321185328, 20100321185328, 1, UX=Abcd-efg-hij-klmno;)
insert into windows (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ( Mar 19 15:33:30 2010 540 Security SYSTEM User Success Audit WINDOWSSERVER Logon/Logoff Successful Network Logon: User Name: WINDOWSSERVER$ Domain: DOMX Logon ID: (0x0,0xF88396) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {79b6eb79-7bcc-8a2e-7dad-953c51dc00fd} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.11.11.3 Source Port: 3306 733\n, 1, $RS_HOSTNAME,5, 20100321185328, 20100321185328, 1, windowsserver MSWinEventLog 1 Security 1167 Fri)"
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

53
tests/parsertest.sh
View File

@ -1,53 +0,0 @@
#!/bin/bash
echo TEST: \[parsertest.sh\]: various parser tests
. $srcdir/diag.sh init
# first we need to obtain the hostname as rsyslog sees it
rm -f HOSTNAME
. $srcdir/diag.sh startup gethostname.conf
. $srcdir/diag.sh tcpflood -m1 -M "\"<128>\""
./msleep 100
. $srcdir/diag.sh shutdown-when-empty # shut down rsyslogd when done processing messages
. $srcdir/diag.sh wait-shutdown # we need to wait until rsyslogd is finished!
# now start the real tests
. $srcdir/diag.sh nettester parse1 udp
. $srcdir/diag.sh nettester parse1 tcp
. $srcdir/diag.sh nettester parse2 udp
. $srcdir/diag.sh nettester parse2 tcp
. $srcdir/diag.sh nettester parse_8bit_escape udp
. $srcdir/diag.sh nettester parse_8bit_escape tcp
. $srcdir/diag.sh nettester parse3 udp
. $srcdir/diag.sh nettester parse3 tcp
. $srcdir/diag.sh nettester parse_invld_regex udp
. $srcdir/diag.sh nettester parse_invld_regex tcp
. $srcdir/diag.sh nettester parse-3164-buggyday udp
. $srcdir/diag.sh nettester parse-3164-buggyday tcp
. $srcdir/diag.sh nettester parse-nodate udp
. $srcdir/diag.sh nettester parse-nodate tcp
# the following samples can only be run over UDP as they are so
# malformed they break traditional syslog/tcp framing...
. $srcdir/diag.sh nettester snare_ccoff_udp udp
. $srcdir/diag.sh nettester snare_ccoff_udp2 udp
echo \[parsertest.sh]: redoing tests in IPv4-only mode
. $srcdir/diag.sh nettester parse1 udp -4
. $srcdir/diag.sh nettester parse1 tcp -4
. $srcdir/diag.sh nettester parse2 udp -4
. $srcdir/diag.sh nettester parse2 tcp -4
. $srcdir/diag.sh nettester parse_8bit_escape udp -4
. $srcdir/diag.sh nettester parse_8bit_escape tcp -4
. $srcdir/diag.sh nettester parse3 udp -4
. $srcdir/diag.sh nettester parse3 tcp -4
. $srcdir/diag.sh nettester parse_invld_regex udp -4
. $srcdir/diag.sh nettester parse_invld_regex tcp -4
. $srcdir/diag.sh nettester parse-3164-buggyday udp -4
. $srcdir/diag.sh nettester parse-3164-buggyday tcp -4
. $srcdir/diag.sh nettester parse-nodate udp -4
. $srcdir/diag.sh nettester parse-nodate tcp -4
# UDP-only tests
. $srcdir/diag.sh nettester snare_ccoff_udp udp -4
. $srcdir/diag.sh nettester snare_ccoff_udp2 udp -4
rm -f HOSTNAME
. $srcdir/diag.sh exit

44
tests/pmlastmsg-udp.sh Executable file
View File

@ -0,0 +1,44 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/pmlastmsg/.libs/pmlastmsg")
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%msg%\n")
ruleset(name="ruleset1" parser=["rsyslog.lastline","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<13>last message repeated 5 times\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<13>last message repeated 0090909787348927349875 times\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<13>last message repeated 5 times\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<13>last message repeated 5 times -- more data\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<13>last message repeated 5.2 times\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 TAG: Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 TAG long message ================================================================================\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<34>1 2003-11-11T22:14:15.003Z mymachine.example.com su - ID47 last message repeated 5 times\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo 'last message repeated 5 times
last message repeated 0090909787348927349875 times
repeated 5 times
repeated 5 times -- more data
repeated 5.2 times
Rest of message...
long message ================================================================================
last message repeated 5 times' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

45
tests/pmlastmsg.sh
View File

@ -1,7 +1,44 @@
#!/bin/bash
echo ==============================================================================
echo \[pmlastmsg.sh\]: tests for pmlastmsg
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh nettester pmlastmsg udp
. $srcdir/diag.sh nettester pmlastmsg tcp
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/pmlastmsg/.libs/pmlastmsg")
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%msg%\n")
ruleset(name="ruleset1" parser=["rsyslog.lastline","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<13>last message repeated 5 times\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<13>last message repeated 0090909787348927349875 times\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<13>last message repeated 5 times\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<13>last message repeated 5 times -- more data\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<13>last message repeated 5.2 times\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 TAG: Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 TAG long message ================================================================================\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<34>1 2003-11-11T22:14:15.003Z mymachine.example.com su - ID47 last message repeated 5 times\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo 'last message repeated 5 times
last message repeated 0090909787348927349875 times
repeated 5 times
repeated 5 times -- more data
repeated 5.2 times
Rest of message...
long message ================================================================================
last message repeated 5 times' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

38
tests/pmsnare-ccbackslash-udp.sh Executable file
View File

@ -0,0 +1,38 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../contrib/pmsnare/.libs/pmsnare")
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
global(localHostname="localhost"
parser.escapeControlCharactersCStyle="on")
$EscapeControlCharactersOnReceive on
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1" parser=["rsyslog.snare","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 12:00:01 hostname.domain MSWinEventLog 1 Security 00000000 Sun May 21 12:00:01.123 4624 Microsoft-Windows-Security-Auditing N/A N/A Success Audit hostname.domain Logon An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED='14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
14,user,info,MSWinEventLog,MSWinEventLog, 1\tSecurity\t00000000\tSun May 21 12:00:01.123\t4624\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\thostname.domain\tLogon\t\tAn account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................'
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

39
tests/pmsnare-ccbackslash.sh Executable file
View File

@ -0,0 +1,39 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
setvar_RS_HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../contrib/pmsnare/.libs/pmsnare")
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
global(localHostname="localhost"
parser.escapeControlCharactersCStyle="on")
$EscapeControlCharactersOnReceive on
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1" parser=["rsyslog.snare","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname.domain MSWinEventLog 1 Security 00000000 Sun May 21 12:00:01.123 4624 Microsoft-Windows-Security-Auditing N/A N/A Success Audit hostname.domain Logon An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED='14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
14,user,info,MSWinEventLog,MSWinEventLog, 1\tSecurity\t00000000\tSun May 21 12:00:01.123\t4624\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\thostname.domain\tLogon\t\tAn account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................'
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

41
tests/pmsnare-cccstyle-udp.sh Executable file
View File

@ -0,0 +1,41 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
setvar_RS_HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../contrib/pmsnare/.libs/pmsnare")
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
global(parser.escapeControlCharactersCStyle="on")
$EscapeControlCharactersOnReceive on
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1" parser=["rsyslog.snare","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 12:00:01 hostname.domain MSWinEventLog 1 Security 00000000 Sun May 21 12:00:01.123 4624 Microsoft-Windows-Security-Auditing N/A N/A Success Audit hostname.domain Logon An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED='14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group local_in [0x0, 0x0]
14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
14,user,info,MSWinEventLog,MSWinEventLog, 1\tSecurity\t00000000\tSun May 21 12:00:01.123\t4624\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\thostname.domain\tLogon\t\tAn account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................'
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

43
tests/pmsnare-cccstyle.sh Executable file
View File

@ -0,0 +1,43 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
setvar_RS_HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../contrib/pmsnare/.libs/pmsnare")
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
$EscapeControlCharactersOnReceive on
global(
parser.escapeControlCharactersCStyle="on"
)
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1" parser=["rsyslog.snare","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname.domain MSWinEventLog 1 Security 00000000 Sun May 21 12:00:01.123 4624 Microsoft-Windows-Security-Auditing N/A N/A Success Audit hostname.domain\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname.domain MSWinEventLog 1 Security 00000000 Sun May 21 12:00:01.123 4624 Microsoft-Windows-Security-Auditing N/A N/A Success Audit hostname.domain Logon An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED='14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group local_in [0x0, 0x0]
14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
14,user,info,MSWinEventLog,MSWinEventLog, 1\tSecurity\t00000000\tSun May 21 12:00:01.123\t4624\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\thostname.domain
14,user,info,MSWinEventLog,MSWinEventLog, 1\tSecurity\t00000000\tSun May 21 12:00:01.123\t4624\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\thostname.domain\tLogon\t\tAn account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................'
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

42
tests/pmsnare-ccdefault-udp.sh Executable file
View File

@ -0,0 +1,42 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../contrib/pmsnare/.libs/pmsnare")
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
global(localHostname="localhost")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1" parser=["rsyslog.snare","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group \\\"local_in\\\" [0x0, 0x0]\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 12:00:01 hostname.domain MSWinEventLog 1 Security 00000000 Sun May 21 12:00:01.123 4624 Microsoft-Windows-Security-Auditing N/A N/A Success Audit hostname.domain Logon An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
14,user,info,MSWinEventLog,MSWinEventLog, 1#011Security#01100000000#011Sun May 21 12:00:01.123#0114624#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011Logon#011#011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

42
tests/pmsnare-ccdefault.sh Executable file
View File

@ -0,0 +1,42 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../contrib/pmsnare/.libs/pmsnare")
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
global(localHostname="localhost")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1" parser=["rsyslog.snare","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group \\\"local_in\\\" [0x0, 0x0]\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname.domain MSWinEventLog 1 Security 00000000 Sun May 21 12:00:01.123 4624 Microsoft-Windows-Security-Auditing N/A N/A Success Audit hostname.domain Logon An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
14,user,info,MSWinEventLog,MSWinEventLog, 1#011Security#01100000000#011Sun May 21 12:00:01.123#0114624#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011Logon#011#011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

36
tests/pmsnare-ccoff-udp.sh Executable file
View File

@ -0,0 +1,36 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../contrib/pmsnare/.libs/pmsnare")
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
global(localHostname="localhost")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1" parser=["rsyslog.snare","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 12:00:01 hostname.domain MSWinEventLog 1 Security 00000000 Sun May 21 12:00:01.123 4624 Microsoft-Windows-Security-Auditing N/A N/A Success Audit hostname.domain Logon An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"hostname.domain MSWinEventLog 1 Security 00000000 Sun May 21 12:00:01.123 5061 Microsoft-Windows-Security-Auditing N/A N/A Success Audit hostname.domain System Integrity Cryptographic operation. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 -0000000000\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,MSWinEventLog,MSWinEventLog, 1#011Security#01100000000#011Sun May 21 12:00:01.123#0114624#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011Logon#011#011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
13,user,notice,MSWinEventLog,MSWinEventLog, 1#011Security#01100000000#011Sun May 21 12:00:01.123#0115061#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011System Integrity#011#011Cryptographic operation. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0#011-0000000000' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

36
tests/pmsnare-ccoff.sh Executable file
View File

@ -0,0 +1,36 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../contrib/pmsnare/.libs/pmsnare")
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
global(localHostname="localhost")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1" parser=["rsyslog.snare","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname.domain MSWinEventLog 1 Security 00000000 Sun May 21 12:00:01.123 4624 Microsoft-Windows-Security-Auditing N/A N/A Success Audit hostname.domain Logon An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................\""
. $srcdir/diag.sh tcpflood -m1 -M "\"hostname.domain MSWinEventLog 1 Security 00000000 Sun May 21 12:00:01.123 5061 Microsoft-Windows-Security-Auditing N/A N/A Success Audit hostname.domain System Integrity Cryptographic operation. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 -0000000000\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,MSWinEventLog,MSWinEventLog, 1#011Security#01100000000#011Sun May 21 12:00:01.123#0114624#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011Logon#011#011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................
13,user,notice,MSWinEventLog,MSWinEventLog, 1#011Security#01100000000#011Sun May 21 12:00:01.123#0115061#011Microsoft-Windows-Security-Auditing#011N/A#011N/A#011Success Audit#011hostname.domain#011System Integrity#011#011Cryptographic operation. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: le-c6bdb786-1851-4159-b5ea-5e3966571698 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0#011-0000000000' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

45
tests/pmsnare-default-udp.sh Executable file
View File

@ -0,0 +1,45 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
global(localHostname="localhost")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group \\\"local_in\\\" [0x0, 0x0]\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 2017 00:00:00: %ASA-6-102030: SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Rhttpproxy: verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 12:00:01 hostname MSWinEventLog 1 N/A 113977 Sun May 21 12:00:01.123 N/A nxlog N/A N/A N/A hostname N/A reconnecting to agent manager in 200 seconds N/A\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
14,user,info,%ASA-6-102030,%ASA-6-102030:, SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
14,user,info,Rhttpproxy,Rhttpproxy:, verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
14,user,info,MSWinEventLog#0111#011N,MSWinEventLog#0111#011N/A#011113977#011Sun, May 21 12:00:01.123#011N/A#011nxlog#011N/A#011N/A#011N/A#011hostname#011N/A#011#011reconnecting to agent manager in 200 seconds#011N/A' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

45
tests/pmsnare-default.sh Executable file
View File

@ -0,0 +1,45 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
global(localHostname="localhost")
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>123456789: HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 2017 00:00:00: %ASA-4-102030: Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group \\\"local_in\\\" [0x0, 0x0]\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 2017 00:00:00: %ASA-6-102030: SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Rhttpproxy: verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname MSWinEventLog 1 N/A 113977 Sun May 21 12:00:01.123 N/A nxlog N/A N/A N/A hostname N/A reconnecting to agent manager in 200 seconds N/A\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,123456789,123456789:, HOSTNAME: May 21 12:00:01.123 gmt: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:105 TS:00000000000000 %NAT-6-LOG_TRANSLATION: Created Translation UDP 192.168.0.11:44593 192.168.0.11:21129 192.168.0.11:53 192.168.0.11:53 0................
14,user,info,%ASA-4-102030,%ASA-4-102030:, Deny udp src vlan_12302:192.168.0.11/514 dst vlan_1233:192.168.0.11/514 by access-group "local_in" [0x0, 0x0]
14,user,info,%ASA-6-102030,%ASA-6-102030:, SFR requested ASA to bypass further packet redirection and process TCP flow from vlan_1233:192.168.0.11/10469 to vlan_12323:192.168.0.11/443 locally
14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
14,user,info,Rhttpproxy,Rhttpproxy:, verbose rhttpproxy[479C1B70] [Originator@6876 sub=Proxy Req 69725] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x00000000] _serverNamespace = /vpxa _isRedirect = false _port = 0000000000
14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
14,user,info,MSWinEventLog#0111#011N,MSWinEventLog#0111#011N/A#011113977#011Sun, May 21 12:00:01.123#011N/A#011nxlog#011N/A#011N/A#011N/A#011hostname#011N/A#011#011reconnecting to agent manager in 200 seconds#011N/A' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

47
tests/pmsnare-modoverride-udp.sh Executable file
View File

@ -0,0 +1,47 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../contrib/pmsnare/.libs/pmsnare")
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
global(
parser.escapeControlCharactersOnReceive="off"
parser.escapeControlCharacterTab="off"
parser.escapeControlCharactersCStyle="on"
parser.controlCharacterEscapePrefix="#"
)
parser(
name="modoverride.snare"
type="pmsnare"
parser.escapeControlCharactersOnReceive="on"
parser.escapeControlCharacterTab="on"
parser.escapeControlCharactersCStyle="off"
parser.controlCharacterEscapePrefix="\\"
)
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1" parser=["modoverride.snare","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<14>May 21 12:00:01 hostname.domain MSWinEventLog\\\\0111\\\\011Security\\\\01100000000\\\\011Sun May 21 12:00:01.123\\\\0114624\\\\011Microsoft-Windows-Security-Auditing\\\\011N/A\\\\011N/A\\\\011Success Audit\\\\011hostname.domain\\\\011Logon\\\\011\\\\011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED='14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
14,user,info,MSWinEventLog,MSWinEventLog, 1\011Security\01100000000\011Sun May 21 12:00:01.123\0114624\011Microsoft-Windows-Security-Auditing\011N/A\011N/A\011Success Audit\011hostname.domain\011Logon\011\011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................'
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

48
tests/pmsnare-modoverride.sh Executable file
View File

@ -0,0 +1,48 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../contrib/pmsnare/.libs/pmsnare")
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
global(
parser.escapeControlCharactersOnReceive="off"
parser.escapeControlCharacterTab="off"
parser.escapeControlCharactersCStyle="on"
parser.controlCharacterEscapePrefix="#"
)
parser(
name="modoverride.snare"
type="pmsnare"
parser.escapeControlCharactersOnReceive="on"
parser.escapeControlCharacterTab="on"
parser.escapeControlCharactersCStyle="off"
parser.controlCharacterEscapePrefix="\\"
)
template(name="outfmt" type="string" string="%PRI%,%syslogfacility-text%,%syslogseverity-text%,%programname%,%syslogtag%,%msg%\n")
ruleset(name="ruleset1" parser=["modoverride.snare","rsyslog.rfc5424","rsyslog.rfc3164"]) {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<14> 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \\\"AES-256-CBC-SHA TLSv1 Non-Export 256-bit\\\" - Session Reuse The authenti\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>2017-05-21T00:00:01.123Z hostname.domain Hostd: verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname CROND[12393]: pam_unix(crond:session): session closed for user root................\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<14>May 21 12:00:01 hostname.domain MSWinEventLog\\\\0111\\\\011Security\\\\01100000000\\\\011Sun May 21 12:00:01.123\\\\0114624\\\\011Microsoft-Windows-Security-Auditing\\\\011N/A\\\\011N/A\\\\011Success Audit\\\\011hostname.domain\\\\011Logon\\\\011\\\\011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
export EXPECTED='14,user,info,,, 05/21/2017:00:00:00 GMT HOSTNAME 1-ABC-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 39672436 0 : SPCBId 6377757 - ClientIP 192.168.0.11 - ClientPort 55073 - VserverServiceIP 192.168.0.11 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse The authenti
14,user,info,Hostd,Hostd:, verbose hostd[81480B70] [Originator@6876 sub=Hostsvc.StorageSystem] SendStorageInfoEvent: Notify: StorageSystemMsg{HBAs=[vmhba0, vmhba1, vmhba2, vmhba3, vmhba32, vmhba4, ]};
14,user,info,CROND,CROND[12393]:, pam_unix(crond:session): session closed for user root................
14,user,info,MSWinEventLog,MSWinEventLog, 1\011Security\01100000000\011Sun May 21 12:00:01.123\0114624\011Microsoft-Windows-Security-Auditing\011N/A\011N/A\011Success Audit\011hostname.domain\011Logon\011\011An account was successfully logged on. Subject: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon Type: 3 New Logon: Security ID: 0x000000000 Account Name: first.last Account Domain: domain Logon ID: 0x000000000 Logon GUID: 0x000000000 Process Information: Process ID: 0x000000000 Process Name: first.last Network Information: Workstation Name: Source Network Address: 192.168.0.11 Source Port: 51542 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that wa................'
cmp_exact rsyslog.out.log
. $srcdir/diag.sh exit

45
tests/pmsnare.sh
View File

@ -1,45 +0,0 @@
#!/bin/bash
# pmsnare.sh
# Performs parser testing for the pmsnare module.
# It's based on rgerhards' parsertest.sh.
echo TEST: \[pmsnare.sh\]: test snare parser module
. $srcdir/diag.sh init
# first we need to obtain the hostname as rsyslog sees it
rm -f HOSTNAME
. $srcdir/diag.sh startup gethostname.conf
. $srcdir/diag.sh tcpflood -m1 -M "\"<128>\""
./msleep 100
. $srcdir/diag.sh shutdown-when-empty # shut down rsyslogd when done processing messages
. $srcdir/diag.sh wait-shutdown # we need to wait until rsyslogd is finished!
# now start the real tests
. $srcdir/diag.sh nettester pmsnare_default udp
. $srcdir/diag.sh nettester pmsnare_default tcp
. $srcdir/diag.sh nettester pmsnare_ccoff udp
. $srcdir/diag.sh nettester pmsnare_ccoff tcp
. $srcdir/diag.sh nettester pmsnare_ccdefault udp
. $srcdir/diag.sh nettester pmsnare_ccdefault tcp
. $srcdir/diag.sh nettester pmsnare_cccstyle udp
. $srcdir/diag.sh nettester pmsnare_cccstyle tcp
. $srcdir/diag.sh nettester pmsnare_ccbackslash udp
. $srcdir/diag.sh nettester pmsnare_ccbackslash tcp
. $srcdir/diag.sh nettester pmsnare_modoverride udp
. $srcdir/diag.sh nettester pmsnare_modoverride tcp
echo \[pmsnare.sh]: redoing tests in IPv4-only mode
. $srcdir/diag.sh nettester pmsnare_default udp
. $srcdir/diag.sh nettester pmsnare_default tcp
. $srcdir/diag.sh nettester pmsnare_ccoff udp -4
. $srcdir/diag.sh nettester pmsnare_ccoff tcp -4
. $srcdir/diag.sh nettester pmsnare_ccdefault udp -4
. $srcdir/diag.sh nettester pmsnare_ccdefault tcp -4
. $srcdir/diag.sh nettester pmsnare_cccstyle udp -4
. $srcdir/diag.sh nettester pmsnare_cccstyle tcp -4
. $srcdir/diag.sh nettester pmsnare_ccbackslash udp -4
. $srcdir/diag.sh nettester pmsnare_ccbackslash tcp -4
. $srcdir/diag.sh nettester pmsnare_modoverride udp -4
. $srcdir/diag.sh nettester pmsnare_modoverride tcp -4
rm -f HOSTNAME
. $srcdir/diag.sh exit

34
tests/proprepltest-nolimittag-udp.sh Executable file
View File

@ -0,0 +1,34 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514")
template(name="outfmt" type="string" string="+%syslogtag%+\n")
:pri, contains, "167" action(type="omfile" file="rsyslog.out.log"
template="outfmt")
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 TAG: Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 0 Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901 Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901-toolong Rest of message...\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '+TAG:+
+0+
+01234567890123456789012345678901+
+01234567890123456789012345678901-toolong+' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

34
tests/proprepltest-nolimittag.sh Executable file
View File

@ -0,0 +1,34 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514")
template(name="outfmt" type="string" string="+%syslogtag%+\n")
:pri, contains, "167" action(type="omfile" file="rsyslog.out.log"
template="outfmt")
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 TAG: Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 0 Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901 Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901-toolong Rest of message...\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '+TAG:+
+0+
+01234567890123456789012345678901+
+01234567890123456789012345678901-toolong+' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

34
tests/proprepltest-rfctag-udp.sh Executable file
View File

@ -0,0 +1,34 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514")
template(name="outfmt" type="string" string="+%syslogtag:1:32%+\n")
:pri, contains, "167" action(type="omfile" file="rsyslog.out.log"
template="outfmt")
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 TAG: Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 0 Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901 Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901-toolong Rest of message...\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '+TAG:+
+0+
+01234567890123456789012345678901+
+01234567890123456789012345678901+' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

34
tests/proprepltest-rfctag.sh Executable file
View File

@ -0,0 +1,34 @@
#!/bin/bash
# add 2018-06-27 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514")
template(name="outfmt" type="string" string="+%syslogtag:1:32%+\n")
:pri, contains, "167" action(type="omfile" file="rsyslog.out.log"
template="outfmt")
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 TAG: Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 0 Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901 Rest of message...\""
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901-toolong Rest of message...\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo '+TAG:+
+0+
+01234567890123456789012345678901+
+01234567890123456789012345678901+' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

9
tests/proprepltest.sh
View File

@ -1,9 +0,0 @@
#!/bin/bash
echo \[proprepltest.sh\]: various tests for the property replacer
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-HOSTNAME
. $srcdir/diag.sh nettester rfctag udp
. $srcdir/diag.sh nettester rfctag tcp
. $srcdir/diag.sh nettester nolimittag udp
. $srcdir/diag.sh nettester nolimittag tcp
. $srcdir/diag.sh init

29
tests/tabescape_dflt-udp.sh Executable file
View File

@ -0,0 +1,29 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
template(name="outfmt" type="string" string="%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 test: before HT after HT (do NOT remove TAB!)\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo ' before HT#011after HT (do NOT remove TAB!)' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

39
tests/tabescape_dflt.sh
View File

@ -1,18 +1,29 @@
#!/bin/bash
echo ===============================================================================
echo \[tabescape_dflt.sh\]: test for default tab escaping
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
./nettester -ttabescape_dflt -iudp
if [ "$?" -ne "0" ]; then
echo erorr in udp run
exit 1
fi
template(name="outfmt" type="string" string="%msg%\n")
echo test via tcp
./nettester -ttabescape_dflt -itcp
if [ "$?" -ne "0" ]; then
echo erorr in tcp run
exit 1
fi
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 test: before HT after HT (do NOT remove TAB!)\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo ' before HT#011after HT (do NOT remove TAB!)' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

32
tests/tabescape_off-udp.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imudp/.libs/imudp")
input(type="imudp" port="13514" ruleset="ruleset1")
$ErrorMessagesToStderr off
$EscapeControlCharacterTab off
template(name="outfmt" type="string" string="%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -T "udp" -M "\"<167>Mar 6 16:57:54 172.20.245.8 test: before HT after HT (do NOT remove TAB!)\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo ' before HT after HT (do NOT remove TAB!)' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

40
tests/tabescape_off.sh
View File

@ -1,16 +1,32 @@
#!/bin/bash
echo ===============================================================================
echo \[tabescape_off.sh\]: test for tab escaping off
# add 2018-06-29 by Pascal Withopf, released under ASL 2.0
. $srcdir/diag.sh init
. $srcdir/diag.sh generate-HOSTNAME
. $srcdir/diag.sh generate-conf
. $srcdir/diag.sh add-conf '
module(load="../plugins/imtcp/.libs/imtcp")
input(type="imtcp" port="13514" ruleset="ruleset1")
./nettester -ttabescape_off -iudp
if [ "$?" -ne "0" ]; then
exit 1
fi
$ErrorMessagesToStderr off
$EscapeControlCharacterTab off
echo test via tcp
./nettester -ttabescape_off -itcp
if [ "$?" -ne "0" ]; then
exit 1
fi
template(name="outfmt" type="string" string="%msg%\n")
ruleset(name="ruleset1") {
action(type="omfile" file="rsyslog.out.log"
template="outfmt")
}
'
. $srcdir/diag.sh startup
. $srcdir/diag.sh tcpflood -m1 -M "\"<167>Mar 6 16:57:54 172.20.245.8 test: before HT after HT (do NOT remove TAB!)\""
. $srcdir/diag.sh shutdown-when-empty
. $srcdir/diag.sh wait-shutdown
echo ' before HT after HT (do NOT remove TAB!)' | cmp - rsyslog.out.log
if [ ! $? -eq 0 ]; then
echo "invalid response generated, rsyslog.out.log is:"
cat rsyslog.out.log
. $srcdir/diag.sh error-exit 1
fi;
. $srcdir/diag.sh exit

3
tests/testsuites/1.field1
View File

@ -1,3 +0,0 @@
<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: DROP_url_www.sina.com.cn:IN=eth1 OUT=eth0 SRC=192.168.10.78 DST=61.172.201.194 LEN=1182 TOS=0x00 PREC=0x00 TTL=63 ID=14368 DF PROTO=TCP SPT=33343 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0
DROP_url_www.sina.com.cn:IN=eth1
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/1.inputname_imtcp_12514
View File

@ -1,3 +0,0 @@
<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: MSG
12514
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/1.inputname_imtcp_12515
View File

@ -1,3 +0,0 @@
<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: MSG
12515
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/1.inputname_imtcp_12516
View File

@ -1,3 +0,0 @@
<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: MSG
12516
#Only the first two lines are important, you may place anything behind them!

2
tests/testsuites/1.omod-if-array
View File

@ -1,2 +0,0 @@
<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601
167,Mar 6 16:57:54,172.20.245.8,%PIX-7-710005,%PIX-7-710005:,

3
tests/testsuites/1.parse1
View File

@ -1,3 +0,0 @@
<167>Mar 6 16:57:54 172.20.245.8 %PIX-7-710005: UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601
167,local4,debug,Mar 6 16:57:54,172.20.245.8,%PIX-7-710005,%PIX-7-710005:, UDP request discarded from SERVER1/2741 to test_app:255.255.255.255/61601
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/1.tabescape_dflt
View File

@ -1,3 +0,0 @@
<167>Mar 6 16:57:54 172.20.245.8 test: before HT after HT (do NOT remove TAB!)
before HT#011after HT (do NOT remove TAB!)
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/1.tabescape_off
View File

@ -1,3 +0,0 @@
<167>Mar 6 16:57:54 172.20.245.8 test: before HT after HT (do NOT remove TAB!)
before HT after HT (do NOT remove TAB!)
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/2.parse1
View File

@ -1,3 +0,0 @@
<38>Mar 27 19:06:53 source_server sshd(pam_unix)[12750]: session opened for user foo by (uid=0)
38,auth,info,Mar 27 19:06:53,source_server,sshd(pam_unix),sshd(pam_unix)[12750]:, session opened for user foo by (uid=0)
# yet another real-life sample where we had some issues with

3
tests/testsuites/3.parse1
View File

@ -1,3 +0,0 @@
<38>Apr 6 15:07:10 lxcvs07 sshd(pam_unix)[31738]: session closed for user cvsadmin
38,auth,info,Apr 6 15:07:10,lxcvs07,sshd(pam_unix),sshd(pam_unix)[31738]:, session closed for user cvsadmin
# yet another real-life sample where we had some issues with

4
tests/testsuites/4.parse1
View File

@ -1,4 +0,0 @@
<29>Jul 31 21:39:21 example-b example-gw[10538]: disconnect host=/192.0.2.1 destination=192.0.2.2/11282 in=3274 out=1448 duration=0
29,daemon,notice,Jul 31 21:39:21,example-b,example-gw,example-gw[10538]:, disconnect host=/192.0.2.1 destination=192.0.2.2/11282 in=3274 out=1448 duration=0
# yet another real-life sample where we had some issues with - the important
# part is the dash inside the hostname!

2
tests/testsuites/8bit.parse1
View File

@ -1,2 +0,0 @@
<6>AUG 10 22:18:24 host tag This msg contains 8-bit European chars: äöü
6,kern,info,Aug 10 22:18:24,host,tag,tag, This msg contains 8-bit European chars: äöü

2
tests/testsuites/8bit.parse_8bit_escape
View File

@ -1,2 +0,0 @@
<6>AUG 10 22:18:24 host tag This msg contains 8-bit European chars: äöü
6,kern,info,Aug 10 22:18:24,host,tag,tag, This msg contains 8-bit European chars: #303#244#303#266#303#274

3
tests/testsuites/Apr.ts3164
View File

@ -1,3 +0,0 @@
<167>Apr 6 16:57:54 172.20.245.8 TAG: MSG
Apr 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/Aug.ts3164
View File

@ -1,3 +0,0 @@
<167>Aug 6 16:57:54 172.20.245.8 TAG: MSG
Aug 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/Dec.ts3164
View File

@ -1,3 +0,0 @@
<167>Dec 6 16:57:54 172.20.245.8 TAG: MSG
Dec 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/Feb.ts3164
View File

@ -1,3 +0,0 @@
<167>Feb 6 16:57:54 172.20.245.8 TAG: MSG
Feb 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/Jan.ts3164
View File

@ -1,3 +0,0 @@
<167>Jan 6 16:57:54 172.20.245.8 TAG: MSG
Jan 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/Jul.ts3164
View File

@ -1,3 +0,0 @@
<167>Jul 6 16:57:54 172.20.245.8 TAG: MSG
Jul 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/Jun.ts3164
View File

@ -1,3 +0,0 @@
<167>Jun 6 16:57:54 172.20.245.8 TAG: MSG
Jun 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/Mar.ts3164
View File

@ -1,3 +0,0 @@
<167>Mar 6 16:57:54 172.20.245.8 TAG: MSG
Mar 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/May.ts3164
View File

@ -1,3 +0,0 @@
<167>May 6 16:57:54 172.20.245.8 TAG: MSG
May 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/Nov.ts3164
View File

@ -1,3 +0,0 @@
<167>Nov 6 16:57:54 172.20.245.8 TAG: MSG
Nov 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/Oct.ts3164
View File

@ -1,3 +0,0 @@
<167>Oct 6 16:57:54 172.20.245.8 TAG: MSG
Oct 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/Sep.ts3164
View File

@ -1,3 +0,0 @@
<167>Sep 6 16:57:54 172.20.245.8 TAG: MSG
Sep 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/date1.parse1
View File

@ -1,3 +0,0 @@
<38> Mar 7 19:06:53 example tag: testmessage (only date actually tested)
38,auth,info,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
# one space in front of the date

3
tests/testsuites/date2.parse1
View File

@ -1,3 +0,0 @@
<38>Mar 7 19:06:53 example tag: testmessage (only date actually tested)
38,auth,info,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
# only one space between "Mar" and "7"

3
tests/testsuites/date3.parse1
View File

@ -1,3 +0,0 @@
<38>Mar 7 2008 19:06:53: example tag: testmessage (only date actually tested)
38,auth,info,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
# the year should not be there, nor the colon after the date, but we accept it...

3
tests/testsuites/date4.parse1
View File

@ -1,3 +0,0 @@
<38>Mar 7 2008 19:06:53 example tag: testmessage (only date actually tested)
38,auth,info,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
# the year should not be there, but we accept it...

3
tests/testsuites/date5.parse1
View File

@ -1,3 +0,0 @@
<38>Mar 7 19:06:53: example tag: testmessage (only date actually tested)
38,auth,info,Mar 7 19:06:53,example,tag,tag:, testmessage (only date actually tested)
# colon after timestamp is strictly not ok, but we accept it

3
tests/testsuites/empty.parse1
View File

@ -1,3 +0,0 @@
<14>Jan 6 2009 15:22:26 localhost
14,user,info,Jan 6 15:22:26,localhost,,,
#Note: there is one space after localhost, but then \n!

8
tests/testsuites/field1.conf
View File

@ -1,8 +0,0 @@
$ModLoad ../plugins/omstdout/.libs/omstdout
$IncludeConfig nettest.input.conf # This picks the to be tested input from the test driver!
$ErrorMessagesToStderr off
# use a special format that we can easily parse in expect
$template fmt,"%msg:F,32:2%\n"
*.* :omstdout:;fmt

19
tests/testsuites/inputname_imtcp.conf
View File

@ -1,19 +0,0 @@
# This is a special case, thus we define the inputs ourselfs
$ModLoad ../plugins/omstdout/.libs/omstdout
$ModLoad ../plugins/imtcp/.libs/imtcp
$InputTCPServerInputname 12514
$InputTCPServerRun 12514
$InputTCPServerInputname 12515
$InputTCPServerRun 12515
$InputTCPServerInputname 12516
$InputTCPServerRun 12516
$ErrorMessagesToStderr off
# use a special format that we can easily parse in expect
$template fmt,"%inputname%\n"
*.* :omstdout:;fmt

6
tests/testsuites/malformed1.parse1
View File

@ -1,6 +0,0 @@
<131>Oct 8 23:05:06 10.321.1.123 05",result_code=200,b
131,local0,err,Oct 8 23:05:06,10.321.1.123,05",result_code=200,b,05",result_code=200,b,
# a somewhat mangeld-with real-life sample of a malformed message
# the key here is not what is being parsed, but that we do not abort!
# NOTE: if a parser enhancement breaks the format, this is probably OK
# also note that the above message does NOT contain a MSG part

7
tests/testsuites/mark.parse1
View File

@ -1,7 +0,0 @@
#This is a malformed message, but one from real life. At least,
#it should be parsed as can be seen here.
<6>Feb 18 16:01:59 serverX -- MARK --
6,kern,info,Feb 18 16:01:59,serverX,--,--, MARK --
# and the next one as an extreme case (note the absence of PRI)
Feb 18 16:01:59 serverX -- MARK --
13,user,notice,Feb 18 16:01:59,serverX,--,--, MARK --

11
tests/testsuites/master.nolimittag
View File

@ -1,11 +0,0 @@
<167>Mar 6 16:57:54 172.20.245.8 TAG: Rest of message...
+TAG:+
# now one char, no colon
<167>Mar 6 16:57:54 172.20.245.8 0 Rest of message...
+0+
# Now exactly with 32 characters
<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901 Rest of message...
+01234567890123456789012345678901+
# Now oversize, should be completely output with this config
<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901-toolong Rest of message...
+01234567890123456789012345678901-toolong+

28
tests/testsuites/master.pmlastmsg
View File

@ -1,28 +0,0 @@
# the following messages should be processed by pmlastmsg:
<13>last message repeated 5 times
last message repeated 5 times
#
<13>last message repeated 0090909787348927349875 times
last message repeated 0090909787348927349875 times
# now slightly malformed formats that should NOT be processed
# by pmlasmsg:
<13>last message repeated 5 times
repeated 5 times
#
<13>last message repeated 5 times -- more data
repeated 5 times -- more data
# message count invalid:
<13>last message repeated 5.2 times
repeated 5.2 times
#
#
# now follow samples of non-pmlastmsg messages:
#
<167>Mar 6 16:57:54 172.20.245.8 TAG: Rest of message...
Rest of message...
# Now exactly with 32 characters
<167>Mar 6 16:57:54 172.20.245.8 TAG long message ================================================================================
long message ================================================================================
# RFC5424 messages
<34>1 2003-11-11T22:14:15.003Z mymachine.example.com su - ID47 last message repeated 5 times
last message repeated 5 times

11
tests/testsuites/master.rfctag
View File

@ -1,11 +0,0 @@
<167>Mar 6 16:57:54 172.20.245.8 TAG: Rest of message...
+TAG:+
# now one char, no colon
<167>Mar 6 16:57:54 172.20.245.8 0 Rest of message...
+0+
# Now exactly with 32 characters
<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901 Rest of message...
+01234567890123456789012345678901+
# Now oversize, should be truncated with this config
<167>Mar 6 16:57:54 172.20.245.8 01234567890123456789012345678901-toolong Rest of message...
+01234567890123456789012345678901+

8
tests/testsuites/master.subsecond
View File

@ -1,8 +0,0 @@
<34>1 2003-01-23T12:34:56.003Z mymachine.example.com su - ID47 - MSG
003
# full precision
<34>1 2003-01-23T12:34:56.123456Z mymachine.example.com su - ID47 - MSG
123456
# without
<34>1 2003-01-23T12:34:56Z mymachine.example.com su - ID47 - MSG
0

22
tests/testsuites/master.ts3339
View File

@ -1,22 +0,0 @@
<34>1 2003-11-11T22:14:15.003Z mymachine.example.com su - ID47 - MSG
2003-11-11T22:14:15.003Z
# next test
<34>1 2003-01-11T22:14:15.003Z mymachine.example.com su - ID47 - MSG
2003-01-11T22:14:15.003Z
# next test
<34>1 2003-11-01T22:04:15.003Z mymachine.example.com su - ID47 - MSG
2003-11-01T22:04:15.003Z
# next test
<34>1 2003-11-11T02:14:15.003Z mymachine.example.com su - ID47 - MSG
2003-11-11T02:14:15.003Z
# next test
<34>1 2003-11-11T22:04:05.003Z mymachine.example.com su - ID47 - MSG
2003-11-11T22:04:05.003Z
# next test
<34>1 2003-11-11T22:04:05.003+02:00 mymachine.example.com su - ID47 - MSG
2003-11-11T22:04:05.003+02:00
# next test
<34>1 2003-11-11T22:04:05.003+01:30 mymachine.example.com su - ID47 - MSG
2003-11-11T22:04:05.003+01:30
<34>1 2003-11-11T22:04:05.123456+01:30 mymachine.example.com su - ID47 - MSG
2003-11-11T22:04:05.123456+01:30

2
tests/testsuites/master.tsmysql
View File

@ -1,2 +0,0 @@
<34>1 2003-01-23T12:34:56.003Z mymachine.example.com su - ID47 - MSG
20030123123456

2
tests/testsuites/master.tspgsql
View File

@ -1,2 +0,0 @@
<34>1 2003-01-23T12:34:56.003Z mymachine.example.com su - ID47 - MSG
2003-01-23 12:34:56

3
tests/testsuites/mon1digit.ts3164
View File

@ -1,3 +0,0 @@
<167>Jan 6 16:57:54 172.20.245.8 TAG: MSG
Jan 6 16:57:54
#Only the first two lines are important, you may place anything behind them!

3
tests/testsuites/mon2digit.ts3164
View File

@ -1,3 +0,0 @@
<167>Jan 16 16:57:54 172.20.245.8 TAG: MSG
Jan 16 16:57:54
#Only the first two lines are important, you may place anything behind them!

8
tests/testsuites/nolimittag.conf
View File

@ -1,8 +0,0 @@
$ModLoad ../plugins/omstdout/.libs/omstdout
$IncludeConfig nettest.input.conf # This picks the to be tested input from the test driver!
$ErrorMessagesToStderr off
# use a special format
$template fmt,"+%syslogtag%+\n"
*.* :omstdout:;fmt

13
tests/testsuites/omod-if-array.conf
View File

@ -1,13 +0,0 @@
# Test config for array-passing output module interface
# (stanard string passing is already tested via the other test inside
# the testbench, so we do not need to focus on that)
# rgerhards, 2009-04-03
$ModLoad ../plugins/omstdout/.libs/omstdout
$IncludeConfig nettest.input.conf # This picks the to be tested input from the test driver!
$ActionOMStdoutArrayInterface on
$ErrorMessagesToStderr off
# do NOT remove \n, that would hang the test driver!
$template expect,"%PRI%%timestamp%%hostname%%programname%%syslogtag%\n"
*.* :omstdout:;expect

2
tests/testsuites/oversizeTag-1.parse1
View File

@ -1,2 +0,0 @@
<38>Mar 27 19:06:53 source_server 0123456789012345678901234567890123456789: MSG part
38,auth,info,Mar 27 19:06:53,source_server,0123456789012345678901234567890123456789,0123456789012345678901234567890123456789:, MSG part

8
tests/testsuites/parse-3164-buggyday.conf
View File

@ -1,8 +0,0 @@
$ModLoad ../plugins/omstdout/.libs/omstdout
$IncludeConfig nettest.input.conf # This picks the to be tested input from the test driver!
$ErrorMessagesToStderr off
# use a special format that we can easily parse in expect
$template expect,"%PRI%,%syslogfacility-text%,%syslogseverity-text%,%timestamp:::date-rfc3164-buggyday%,%hostname%,%programname%,%syslogtag%,%msg%\n"
*.* :omstdout:;expect

14
tests/testsuites/parse-nodate.conf
View File

@ -1,14 +0,0 @@
# test is a test config that does not include the timestamp. This is necessary to
# test some illformed messages that do not contain a date. In that case, the system's
# current timestamp is used, and that of course is a bit hard to compare against
# a fixed template. So the solution in this case is to use a format that does
# not contain any timestamp. Maybe not optimal, but it works ;)
# rgerhards, 2010-03-19
$ModLoad ../plugins/omstdout/.libs/omstdout
$IncludeConfig nettest.input.conf # This picks the to be tested input from the test driver!
$ErrorMessagesToStderr off
# use a special format that we can easily parse
$template fmt,"%PRI%,%syslogfacility-text%,%syslogseverity-text%,%hostname%,%programname%,%syslogtag%,%msg%\n"
*.* :omstdout:;fmt

9
tests/testsuites/parse1.conf
View File

@ -1,9 +0,0 @@
$ModLoad ../plugins/omstdout/.libs/omstdout
$IncludeConfig nettest.input.conf # This picks the to be tested input from the test driver!
$ErrorMessagesToStderr off
$LocalHostName localhost
# use a special format that we can easily parse in expect
$template expect,"%PRI%,%syslogfacility-text%,%syslogseverity-text%,%timestamp%,%hostname%,%programname%,%syslogtag%,%msg%\n"
*.* :omstdout:;expect

Some files were not shown because too many files have changed in this diff Show More