mirror of
https://github.com/rsyslog/rsyslog.git
synced 2025-12-20 00:20:42 +01:00
90308823df
In the community we frequently discuss handling of oversize messages. David Lang rightfully suggested to create a central capability inside rsyslog core to handle them. We need to make a distinction between input and output messages. Also, input messages frequently need to have some size restrictions done at a lower layer (e.g. protocol layer) for security reasons. Nevertheless, we should have a central capability * for cases where it need not be handled at a lower level * as a safeguard when a module invalidly emits it (imfile is an example, see https://github.com/rsyslog/rsyslog/pull/2632 for a try to fix it on the module level - we will replace that with the new capability described here). The central capability works on message submission, and so cannot be circumvented. It has these capabilities: * overisze message handling modes: - truncate message - split message this is of questionable use, but also often requested. In that mode, the oversize message content is split into multiple messages. Usually, this ends up with message segments where all but the first is lost anyhow as the regular filter rules do not match the other fragments. As it is requested, we still implemented it. - accept message as is, even if oversize This may be required for some cases. Most importantly, it makes quite some sense when writing messages to file, where oversize does not matter (accept from a DoS PoV). * report message to a special "oversize message log file" (not via the regular engine, as that would obviously cause another oversize message) This commit, as the title says, handles oversize INPUT messages. see also https://github.com/rsyslog/rsyslog/issues/2190 closes https://github.com/rsyslog/rsyslog/issues/2681 closes https://github.com/rsyslog/rsyslog/issues/498 Note: this commit adds global parameters: * "oversizemsg.errorfile", is used to specify the location of the oversize message log file. * "oversizemsg.report", is used to control if an error shall be reported when an oversize message is seen. The default it "on". * add global parameter "oversizemsg.input.mode" is used to specify the mode with which oversized messages will be handled.
38 lines
1.3 KiB
Bash
Executable File
38 lines
1.3 KiB
Bash
Executable File
#!/bin/bash
|
|
# addd 2016-05-13 by RGerhards, released under ASL 2.0
|
|
|
|
. $srcdir/diag.sh init
|
|
. $srcdir/diag.sh generate-conf
|
|
. $srcdir/diag.sh add-conf '
|
|
$MaxMessageSize 128
|
|
global(processInternalMessages="on"
|
|
oversizemsg.input.mode="accept")
|
|
module(load="../plugins/imtcp/.libs/imtcp")
|
|
input(type="imtcp" port="13514")
|
|
|
|
action(type="omfile" file="rsyslog.out.log")
|
|
'
|
|
. $srcdir/diag.sh startup
|
|
. $srcdir/diag.sh tcpflood -m1 -M "\"<120> 2011-03-01T11:22:12Z host tag: this is a way too long message that has ab
|
|
9876543210 cdefghijklmn test8 test9 test10 test11 test12 test13 test14 test15 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk tag: testtesttesttesttesttesttesttesttest\""
|
|
. $srcdir/diag.sh shutdown-when-empty
|
|
. $srcdir/diag.sh wait-shutdown
|
|
|
|
grep "Framing Error in received" rsyslog.out.log > /dev/null
|
|
if [ $? -ne 0 ]; then
|
|
echo
|
|
echo "FAIL: expected error message from imtcp not found. rsyslog.out.log is:"
|
|
cat rsyslog.out.log
|
|
. $srcdir/diag.sh error-exit 1
|
|
fi
|
|
|
|
grep "9876543210cdefghijklmn test8 test9 test10 test11 test12 test13 test14 test15 kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk tag: testtestt" rsyslog.out.log > /dev/null
|
|
if [ $? -ne 0 ]; then
|
|
echo
|
|
echo "FAIL: expected date from imtcp not found. rsyslog.out.log is:"
|
|
cat rsyslog.out.log
|
|
. $srcdir/diag.sh error-exit 1
|
|
fi
|
|
|
|
. $srcdir/diag.sh exit
|