added capability to ignore client-provided timestamp on unix sockets and

made this mode the default; this was needed, as some programs (e.g. sshd) log with inconsistent timezone information, what messes up the local logs (which by default don't even contain time zone information). This seems to be consistent with what sysklogd did for the past four years. Alternate behaviour may be desirable if gateway-like processes send messages via the local log slot - in this case, it can be enabled via the $InputUnixListenSocketIgnoreMsgTimestamp and $SystemLogSocketIgnoreMsgTimestamp config directives
2025-12-19 01:00:41 +01:00 · 2008-03-06 13:55:04 +00:00 · 2008-03-06 13:55:04 +00:00 · dfb2142974
commit dfb2142974
parent 8d36b9159f
10 changed files with 108 additions and 31 deletions
--- a/9
+++ b/9
@ -12,6 +12,15 @@ Version 3.12.1 (rgerhards), 2008-03-06
 - added support for the MonitorWare syslog MIB to omsnmp
 - internal code improvements (more code converted into classes)
 - internal code reworking of the imtcp/imgssapi module
+- added capability to ignore client-provided timestamp on unix sockets and
+  made this mode the default; this was needed, as some programs (e.g. sshd)
+  log with inconsistent timezone information, what messes up the local
+  logs (which by default don't even contain time zone information). This
+  seems to be consistent with what sysklogd did for the past four years.
+  Alternate behaviour may be desirable if gateway-like processes send
+  messages via the local log slot - in this case, it can be enabled
+  via the $InputUnixListenSocketIgnoreMsgTimestamp and
+  $SystemLogSocketIgnoreMsgTimestamp config directives
 ---------------------------------------------------------------------------
 Version 3.12.0 (rgerhards), 2008-02-28
 - added full expression support for filters; filters can now contain
--- a/configure.ac
+++ b/configure.ac
@ -80,7 +80,7 @@ AC_FUNC_STAT
 AC_FUNC_STRERROR_R
 AC_FUNC_VPRINTF
 AC_FUNC_WAIT3
-AC_CHECK_FUNCS([flock alarm clock_gettime gethostbyname gethostname gettimeofday localtime_r memset mkdir regcomp select setid socket strcasecmp strchr strdup strerror strndup strnlen strrchr strstr strtol strtoul uname ttyname_r])
+AC_CHECK_FUNCS([flock basename alarm clock_gettime gethostbyname gethostname gettimeofday localtime_r memset mkdir regcomp select setid socket strcasecmp strchr strdup strerror strndup strnlen strrchr strstr strtol strtoul uname ttyname_r])


 # Large file support
--- a/doc/imuxsock.html
+++ b/doc/imuxsock.html
@ -0,0 +1,47 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head>
+<meta http-equiv="Content-Language" content="en"><title>Unix Socket Input</title>
+
+</head>
+<body>
+<h1>Unix Socket Input</h1>
+<p><b>Module Name:&nbsp;&nbsp;&nbsp; imuxsock</b></p>
+<p><b>Author: </b>Rainer Gerhards
+&lt;rgerhards@adiscon.com&gt;</p>
+<p><b>Description</b>:</p>
+<p>Provides the ability to accept syslog messages via local Unix
+sockets. Most importantly, this is the mechanism by which the syslog(3)
+call delivers syslog messages to rsyslogd. So you need to have this
+module loaded to read the system log socket and be able to process log
+messages from applications running on the local system.</p><p>Application-provided
+timestamps are ignored by default. This is needed, as some programs
+(e.g. sshd)&nbsp;log with inconsistent timezone information, what
+messes up the local logs (which by default don't even contain time zone
+information). This seems to be consistent with what sysklogd did for
+the past four years. Alternate behaviour may be desirable if
+gateway-like processes send messages via the local log slot - in this
+case, it can be enabled via the
+$InputUnixListenSocketIgnoreMsgTimestamp and $SystemLogSocketIgnoreMsgTimestamp config directives</p><p><b>Configuration Directives</b>:</p>
+<ul>
+<li><span style="font-weight: bold;">$InputUnixListenSocketIgnoreMsgTimestamp</span> [<span style="font-weight: bold;">on</span>/off]<strong></strong><br>Ignore timestamps included in the message. Applies to the next socket being added.</li><li><span style="font-weight: bold;">$SystemLogSocketIgnoreMsgTimestamp</span> [<span style="font-weight: bold;">on</span>/off]<br>Ignore timestamps included in the messages, applies to messages received via the system log socket.</li><li><span style="font-weight: bold;">$OmitLocalLogging</span> (imuxsock) [on/<b>off</b>] --
+former -o option</li><li><span style="font-weight: bold;">$SystemLogSocketName</span> &lt;name-of-socket&gt; --
+former -p option</li><li><span style="font-weight: bold;">$AddUnixListenSocket</span> &lt;name-of-socket&gt; adds
+additional unix socket, default none -- former -a option</li></ul>
+<b>Caveats/Known Bugs:</b><br>
+<br>
+This documentation is sparse and incomplete.
+<p><b>Sample:</b></p>
+<p>The following sample is the minimum setup required to accept syslog messages from applications running on the local system.<br>
+</p>
+<textarea rows="15" cols="60">$ModLoad imuxsock # needs to be done just once
+</textarea>
+<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
+[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a>
+project.<br>
+Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer
+Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>.
+Released under the GNU GPL version 3 or higher.</font></p>
+</body></html>
--- a/doc/rsyslog_conf.html
+++ b/doc/rsyslog_conf.html
@ -1,7 +1,5 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html><head><title>rsyslog.conf file</title>
-
-</head>
+<html><head><title>rsyslog.conf file</title></head>
 <body>
 <h1>rsyslog.conf configuration file</h1>
 <p><b>This document is currently being enhanced. Please
@ -43,7 +41,7 @@ plugin for plain tcp syslog</li>
 <li><a href="imgssapi.html">imgssapi</a> -
 input plugin for plain tcp and GSS-enable syslog</li>
 <li>immark - support for mark messages</li>
-<li>imklog - kernel logging</li>
+<li>imklog - kernel logging</li><li><a href="imuxsock.html">imuxsock</a> - unix sockets, including the system log socket</li>
 </ul>
 <p>Please note that each module provides configuration
 directives, which are NOT necessarily being listed below. Also
@ -100,10 +98,7 @@ default 60000 (1 minute)]</li>
 worker threads, default 1, recommended 1</li>
 <li>$ActionQueueWorkerThreadMinumumMessages
 &lt;number&gt;, default 100</li>
-<li><a href="rsconf1_actionresumeinterval.html">$ActionResumeInterval</a></li>
-<li>$AddUnixListenSocket &lt;name-of-socket&gt; adds
-additional unix socket, default none -- former -a option</li>
-<li>$ActionResumeRetryCount &lt;number&gt; [default 0,
+<li><a href="rsconf1_actionresumeinterval.html">$ActionResumeInterval</a></li><li>$ActionResumeRetryCount &lt;number&gt; [default 0,
 -1 means eternal]</li>
 <li><a href="rsconf1_allowedsender.html">$AllowedSender</a></li>
 <li><a href="rsconf1_controlcharacterescapeprefix.html">$ControlCharacterEscapePrefix</a></li>
@ -171,15 +166,11 @@ worker threads, default 1, recommended 1</li>
 (immark)</li>
 <li><a href="rsconf1_moddir.html">$ModDir</a></li>
 <li><a href="rsconf1_modload.html">$ModLoad</a></li>
-<li>$OmitLocalLogging (imuxsock) [on/<b>off</b>] --
-former -o option</li>
+
 <li><a href="rsconf1_repeatedmsgreduction.html">$RepeatedMsgReduction</a></li>
 <li><a href="rsconf1_resetconfigvariables.html">$ResetConfigVariables</a></li>
 <li>$WorkDirectory &lt;name&gt; (directory for spool
-and other work files)</li>
-<li>$SystemLogSocketName &lt;name-of-socket&gt; --
-former -p option</li>
-<li>$UDPServerAddress &lt;IP&gt; (imudp) -- local IP
+and other work files)</li><li>$UDPServerAddress &lt;IP&gt; (imudp) -- local IP
 address (or name) the UDP listens should bind to</li>
 <li>$UDPServerRun &lt;port&gt; (imudp) -- former
 -r&lt;port&gt; option, default 514, start UDP server on this
--- a/plugins/imklog/imklog.c
+++ b/plugins/imklog/imklog.c
@ -127,7 +127,7 @@ static rsRetVal writeSyslogV(int iPRI, const char *szFmt, va_list va)

 	/* here we must create our message object and supply it to the message queue
 	 */
-	CHKiRet(parseAndSubmitMessage(LocalHostName, msgBuf, strlen(msgBuf), MSG_DONT_PARSE_HOSTNAME));
+	CHKiRet(parseAndSubmitMessage(LocalHostName, msgBuf, strlen(msgBuf), MSG_DONT_PARSE_HOSTNAME, NOFLAG));

 finalize_it:
 	RETiRet;
--- a/plugins/imudp/imudp.c
+++ b/plugins/imudp/imudp.c
@ -189,7 +189,8 @@ CODESTARTrunInput
 							*/
 						       if(isAllowedSender(pAllowedSenders_UDP,
 							  (struct sockaddr *)&frominet, (char*)fromHostFQDN)) {
-							       parseAndSubmitMessage((char*)fromHost, (char*) pRcvBuf, l,  MSG_PARSE_HOSTNAME);
+							       parseAndSubmitMessage((char*)fromHost, (char*) pRcvBuf, l,
+							       MSG_PARSE_HOSTNAME, NOFLAG);
 						       } else {
 							       dbgprintf("%s is not an allowed sender\n", (char*)fromHostFQDN);
 							       if(option_DisallowWarning) {
--- a/plugins/imuxsock/imuxsock.c
+++ b/plugins/imuxsock/imuxsock.c
@ -68,6 +68,7 @@ static int startIndexUxLocalSockets; /* process funix from that index on (used t
 				   * read-only after startup
 				   */
 static int funixParseHost[MAXFUNIX] = { 0, }; /* should parser parse host name?  read-only after startup */
+static int funixFlags[MAXFUNIX] = { ADDDATE, }; /* should parser parse host name?  read-only after startup */
 static uchar *funixn[MAXFUNIX] = { (uchar*) _PATH_LOG }; /* read-only after startup */
 static int funix[MAXFUNIX] = { -1, }; /* read-only after startup */
 static int nfunix = 1; /* number of Unix sockets open / read-only after startup */
@ -75,6 +76,20 @@ static int nfunix = 1; /* number of Unix sockets open / read-only after startup
 /* config settings */
 static int bOmitLocalLogging = 0;
 static uchar *pLogSockName = NULL;
+static int bIgnoreTimestamp = 1; /* ignore timestamps present in the incoming message? */
+
+
+/* set the timestamp ignore / not ignore option for the system
+ * log socket. This must be done separtely, as it is not added via a command
+ * but present by default. -- rgerhards, 2008-03-06
+ */
+static rsRetVal setSystemLogTimestampIgnore(void __attribute__((unused)) *pVal, int iNewVal)
+{
+	DEFiRet;
+RUNLOG_VAR("%d", iNewVal);
+	funixFlags[0] = iNewVal ? ADDDATE : NOFLAG;
+	RETiRet;
+}


 /* add an additional listen socket. Socket names are added
@ -95,6 +110,7 @@ static rsRetVal addLstnSocketName(void __attribute__((unused)) *pVal, uchar *pNe
 		else {
 			funixParseHost[nfunix] = 0;
 		}
+		funixFlags[nfunix] = bIgnoreTimestamp ? ADDDATE : NOFLAG;
 		funixn[nfunix++] = pNewVal;
 	}
 	else {
@ -157,7 +173,7 @@ static int create_unix_socket(const char *path)
 * to receive and submits the message received for processing.
 * rgerhards, 2007-12-20
 */
-static rsRetVal readSocket(int fd, int bParseHost)
+static rsRetVal readSocket(int fd, int bParseHost, int flags)
 {
 	DEFiRet;
 	int iRcvd;
@ -166,7 +182,7 @@ static rsRetVal readSocket(int fd, int bParseHost)
 	iRcvd = recv(fd, line, MAXLINE - 1, 0);
 	dbgprintf("Message from UNIX socket: #%d\n", fd);
 	if (iRcvd > 0) {
-		parseAndSubmitMessage(LocalHostName, line, iRcvd, bParseHost);
+		parseAndSubmitMessage(LocalHostName, line, iRcvd, bParseHost, flags);
 	} else if (iRcvd < 0 && errno != EINTR) {
 		char errStr[1024];
 		rs_strerror_r(errno, errStr, sizeof(errStr));
@ -221,7 +237,7 @@ CODESTARTrunInput

 		for (i = 0; i < nfunix && nfds > 0; i++) {
 			if ((fd = funix[i]) != -1 && FD_ISSET(fd, &readfds)) {
-				readSocket(fd, funixParseHost[i]);
+				readSocket(fd, funixParseHost[i], funixFlags[i]);
 				--nfds; /* indicate we have processed one */
 			}
 		}
@ -292,6 +308,7 @@ static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __a

 	discardFunixn();
 	nfunix = 1;
+	bIgnoreTimestamp = 1;

 	return RS_RET_OK;
 }
@ -313,12 +330,22 @@ CODEmodInit_QueryRegCFSLineHdlr
 	/* register config file handlers */
 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"omitlocallogging", 0, eCmdHdlrBinary,
 		NULL, &bOmitLocalLogging, STD_LOADABLE_MODULE_ID));
+	CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputunixlistensocketignoremsgtimestamp", 0, eCmdHdlrBinary,
+		NULL, &bIgnoreTimestamp, STD_LOADABLE_MODULE_ID));
 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"systemlogsocketname", 0, eCmdHdlrGetWord,
 		NULL, &pLogSockName, STD_LOADABLE_MODULE_ID));
 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"addunixlistensocket", 0, eCmdHdlrGetWord,
 		addLstnSocketName, NULL, STD_LOADABLE_MODULE_ID));
 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler,
 		resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID));
+	/* the following one is a (dirty) trick: the system log socket is not added via
+	 * an "addUnixListenSocket" config format. As such, the timestamp can not be modified
+	 * via $InputUnixListenSocketIgnoreMsgTimestamp". So we need to add a special directive
+	 * for that. We should revisit all of that once we have the new config format...
+	 * rgerhards, 2008-03-06
+	 */
+	CHKiRet(omsdRegCFSLineHdlr((uchar *)"systemlogsocketignoremsgtimestamp", 0, eCmdHdlrBinary,
+		setSystemLogTimestampIgnore, NULL, STD_LOADABLE_MODULE_ID));
 ENDmodInit
 /*
 * vi:set ai:
--- a/syslogd.c
+++ b/syslogd.c
@ -628,8 +628,10 @@ void untty(void)
 * HOSTNAME or not. rgerhards 2004-11-16.
 * changed parameter iSource to bParseHost. For details, see comment in
 * printchopped(). rgerhards 2005-10-06
+ * rgerhards: 2008-03-06: added "flags" to allow an input module to specify
+ * flags, most importantly to request ignoring the messages' timestamp.
 */
-rsRetVal printline(char *hname, char *msg, int bParseHost)
+rsRetVal printline(char *hname, char *msg, int bParseHost, int flags)
 {
 	DEFiRet;
 	register char *p;
@ -678,7 +680,7 @@ rsRetVal printline(char *hname, char *msg, int bParseHost)
 	if(MsgSetUxTradMsg(pMsg, p) != 0)
 		ABORT_FINALIZE(RS_RET_ERR);

-	logmsg(pMsg, SYNC_FILE);
+	logmsg(pMsg, flags | SYNC_FILE);

 finalize_it:
 	RETiRet;
@ -716,7 +718,7 @@ finalize_it:
 * improve in the future. <-- TODO!
 */
 rsRetVal
-parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost)
+parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost, int flags)
 {
 	DEFiRet;
 	register int iMsg;
@ -815,7 +817,7 @@ parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost)
 			 */
 			if(iMsg == MAXLINE) {
 				*(pMsg + iMsg) = '\0'; /* space *is* reserved for this! */
-				printline(hname, tmpline, bParseHost);
+				printline(hname, tmpline, bParseHost, flags);
 			} else {
 				/* This case in theory never can happen. If it happens, we have
 				 * a logic error. I am checking for it, because if I would not,
@ -867,7 +869,7 @@ parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost)
 	*(pMsg + iMsg) = '\0'; /* space *is* reserved for this! */

 	/* typically, we should end up here! */
-	printline(hname, tmpline, bParseHost);
+	printline(hname, tmpline, bParseHost, flags);

 finalize_it:
 	RETiRet;
--- a/syslogd.h
+++ b/syslogd.h
@ -62,6 +62,7 @@

 /* Flags to logmsg().
 */
+#define NOFLAG		0x000	/* no flag is set (to be used when a flag must be specified and none is required) */
 #define INTERNAL_MSG	0x001	/* msg generated by logmsgInternal() --> special handling */
 #define SYNC_FILE	0x002	/* do fsync on file after printing */
 #define ADDDATE		0x004	/* add a date to the message */
@ -117,7 +118,7 @@ typedef struct filed selector_t;	/* new type name */

 #define MSG_PARSE_HOSTNAME 1
 #define MSG_DONT_PARSE_HOSTNAME 0
-rsRetVal parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost);
+rsRetVal parseAndSubmitMessage(char *hname, char *msg, int len, int bParseHost, int flags);
 int isAllowedSender(struct AllowedSenders *pAllowRoot, struct sockaddr *pFrom, const char *pszFromHost);
 void untty(void);
 rsRetVal selectorConstruct(selector_t **ppThis);
--- a/tcps_sess.c
+++ b/tcps_sess.c
@ -207,8 +207,7 @@ PrepareClose(tcps_sess_t *pThis)
 		 * this case.
 		 */
 		dbgprintf("Extra data at end of stream in legacy syslog/tcp message - processing\n");
-		parseAndSubmitMessage(pThis->fromHost, pThis->msg,
-			              pThis->iMsg, MSG_PARSE_HOSTNAME);
+		parseAndSubmitMessage(pThis->fromHost, pThis->msg, pThis->iMsg, MSG_PARSE_HOSTNAME, NOFLAG);
 		pThis->bAtStrtOfFram = 1;
 	}

@ -354,7 +353,7 @@ DataRcvd(tcps_sess_t *pThis, char *pData, size_t iLen)
 			/* emergency, we now need to flush, no matter if
 			 * we are at end of message or not...
 			 */
-			parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME);
+			parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME, NOFLAG);
 			iMsg = 0;
 			/* we might think if it is better to ignore the rest of the
 		 	 * message than to treat it as a new one. Maybe this is a good
@ -365,7 +364,7 @@ DataRcvd(tcps_sess_t *pThis, char *pData, size_t iLen)

 		if(*pData == '\n' &&
 		   pThis->eFraming == TCP_FRAMING_OCTET_STUFFING) { /* record delemiter? */
-			parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME);
+			parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME, NOFLAG);
 			iMsg = 0;
 			pThis->bAtStrtOfFram = 1;
 			++pData;
@ -379,7 +378,7 @@ DataRcvd(tcps_sess_t *pThis, char *pData, size_t iLen)
 			pThis->iOctetsRemain--;
 			if(pThis->iOctetsRemain < 1) {
 				/* we have end of frame! */
-				parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME);
+				parseAndSubmitMessage(pThis->fromHost, pMsg, iMsg, MSG_PARSE_HOSTNAME, NOFLAG);
 				iMsg = 0;
 				pThis->bAtStrtOfFram = 1;
 			}